RecordNumber,EventRecordId,TimeCreated,EventId,Level,Provider,Channel,ProcessId,ThreadId,Computer,ChunkNumber,UserId,MapDescription,UserName,RemoteHost,PayloadData1,PayloadData2,PayloadData3,PayloadData4,PayloadData5,PayloadData6,ExecutableInfo,HiddenRecord,SourceFile,Keywords,ExtraDataOffset,Payload
5585,5585,2025-09-11 05:57:31.8483911,1102,Info,Microsoft-Windows-Eventlog,Security,1120,4788,DESKTOP-139UKNF,0,,Event log cleared,DESKTOP-139UKNF\resea,,SID: (S-1-5-21-2679750263-731459410-1187419055-1001),,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,0x4020000000000000,0,"{""UserData"":{""LogFileCleared"":{""SubjectUserSid"":""S-1-5-21-2679750263-731459410-1187419055-1001"",""SubjectUserName"":""resea"",""SubjectDomainName"":""DESKTOP-139UKNF"",""SubjectLogonId"":""0x3CF3F"",""ClientProcessId"":""2984"",""ClientProcessStartKey"":""562949953421648""}}}"
5586,5586,2025-09-11 05:57:32.7085364,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5587,5587,2025-09-11 05:57:32.7102249,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5588,5588,2025-09-11 05:57:32.7102963,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5589,5589,2025-09-11 05:57:32.7113466,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5590,5590,2025-09-11 05:57:32.7442632,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5591,5591,2025-09-11 05:57:32.7457355,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5592,5592,2025-09-11 05:57:32.7458054,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5593,5593,2025-09-11 05:57:32.7469736,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5594,5594,2025-09-11 05:57:32.7809521,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5595,5595,2025-09-11 05:57:32.7825674,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5596,5596,2025-09-11 05:57:32.7826391,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5597,5597,2025-09-11 05:57:32.7832724,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5598,5598,2025-09-11 05:57:37.9482566,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5599,5599,2025-09-11 05:57:37.9502179,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5600,5600,2025-09-11 05:57:37.9503024,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5601,5601,2025-09-11 05:57:37.9524138,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5602,5602,2025-09-11 05:57:37.9749990,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5603,5603,2025-09-11 05:57:37.9760181,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5604,5604,2025-09-11 05:57:37.9760660,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5605,5605,2025-09-11 05:57:37.9770756,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5606,5606,2025-09-11 05:57:37.9980060,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5607,5607,2025-09-11 05:57:37.9990049,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5608,5608,2025-09-11 05:57:37.9990492,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5609,5609,2025-09-11 05:57:37.9999890,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5610,5610,2025-09-11 05:57:43.0943937,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5611,5611,2025-09-11 05:57:43.0974278,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5612,5612,2025-09-11 05:57:43.0975162,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5613,5613,2025-09-11 05:57:43.0993140,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5614,5614,2025-09-11 05:57:43.1545687,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5615,5615,2025-09-11 05:57:43.1560039,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5616,5616,2025-09-11 05:57:43.1560542,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5617,5617,2025-09-11 05:57:43.1567749,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5618,5618,2025-09-11 05:57:43.1832405,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5619,5619,2025-09-11 05:57:43.1842520,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5620,5620,2025-09-11 05:57:43.1842988,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5621,5621,2025-09-11 05:57:43.1847936,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5622,5622,2025-09-11 05:57:43.7966501,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5623,5623,2025-09-11 05:57:43.7978036,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5624,5624,2025-09-11 05:57:43.7978530,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5625,5625,2025-09-11 05:57:43.7992177,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5626,5626,2025-09-11 05:57:43.9090010,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5627,5627,2025-09-11 05:57:43.9101872,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5628,5628,2025-09-11 05:57:43.9102367,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5629,5629,2025-09-11 05:57:43.9122390,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5630,5630,2025-09-11 05:57:44.0211660,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,XboxLive,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""XboxLive""},{""@Name"":""Type"",""#text"":""1""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8099""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:57:43.9624853""},{""@Name"":""ClientProcessId"",""#text"":""5612""}]}}"
5631,5631,2025-09-11 05:57:44.0864641,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,XboxLive,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""XboxLive""},{""@Name"":""Type"",""#text"":""1""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8099""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:57:43.9624853""},{""@Name"":""ClientProcessId"",""#text"":""5612""}]}}"
5632,5632,2025-09-11 05:57:44.3825968,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5633,5633,2025-09-11 05:57:44.3839510,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5634,5634,2025-09-11 05:57:44.3840011,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5635,5635,2025-09-11 05:57:44.3850763,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5636,5636,2025-09-11 05:57:48.2611952,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5637,5637,2025-09-11 05:57:48.2621938,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5638,5638,2025-09-11 05:57:48.2622442,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5639,5639,2025-09-11 05:57:48.2627861,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5640,5640,2025-09-11 05:57:48.2911278,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5641,5641,2025-09-11 05:57:48.2922908,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5642,5642,2025-09-11 05:57:48.2923421,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5643,5643,2025-09-11 05:57:48.2948182,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5644,5644,2025-09-11 05:57:48.3247868,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5645,5645,2025-09-11 05:57:48.3257891,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5646,5646,2025-09-11 05:57:48.3258378,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5647,5647,2025-09-11 05:57:48.3265099,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5648,5648,2025-09-11 05:57:53.6427533,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5649,5649,2025-09-11 05:57:53.6441801,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5650,5650,2025-09-11 05:57:53.6442702,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5651,5651,2025-09-11 05:57:53.6463659,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5652,5652,2025-09-11 05:57:53.7028247,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5653,5653,2025-09-11 05:57:53.7044346,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5654,5654,2025-09-11 05:57:53.7044887,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5655,5655,2025-09-11 05:57:53.7054991,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5656,5656,2025-09-11 05:57:53.7566803,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5657,5657,2025-09-11 05:57:53.7577366,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5658,5658,2025-09-11 05:57:53.7578025,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5659,5659,2025-09-11 05:57:53.7591132,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5660,5660,2025-09-11 05:57:58.9155454,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5661,5661,2025-09-11 05:57:58.9173515,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5662,5662,2025-09-11 05:57:58.9174292,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5663,5663,2025-09-11 05:57:58.9199692,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5664,5664,2025-09-11 05:57:58.9422709,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5665,5665,2025-09-11 05:57:58.9450051,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5666,5666,2025-09-11 05:57:58.9450701,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5667,5667,2025-09-11 05:57:58.9457425,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5668,5668,2025-09-11 05:57:58.9464442,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5669,5669,2025-09-11 05:57:58.9474081,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5670,5670,2025-09-11 05:57:58.9474635,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5671,5671,2025-09-11 05:57:58.9480307,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5672,5672,2025-09-11 05:57:58.9763932,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5673,5673,2025-09-11 05:57:58.9787164,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5674,5674,2025-09-11 05:57:58.9787871,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5675,5675,2025-09-11 05:57:58.9799972,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5676,5676,2025-09-11 05:58:06.5734598,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5677,5677,2025-09-11 05:58:06.5781099,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5678,5678,2025-09-11 05:58:06.5782028,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5679,5679,2025-09-11 05:58:06.5807565,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5680,5680,2025-09-11 05:58:06.6270045,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5681,5681,2025-09-11 05:58:06.6285207,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5682,5682,2025-09-11 05:58:06.6286044,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5683,5683,2025-09-11 05:58:06.6297934,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5684,5684,2025-09-11 05:58:06.6644327,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5685,5685,2025-09-11 05:58:06.6666542,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5686,5686,2025-09-11 05:58:06.6667610,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5687,5687,2025-09-11 05:58:06.6680472,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5688,5688,2025-09-11 05:58:09.0881705,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5689,5689,2025-09-11 05:58:09.0905329,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5690,5690,2025-09-11 05:58:09.0905981,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5691,5691,2025-09-11 05:58:09.0923456,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5692,5692,2025-09-11 05:58:11.8660947,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5693,5693,2025-09-11 05:58:11.8682520,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,0,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5694,5694,2025-09-11 05:58:11.8685453,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5695,5695,2025-09-11 05:58:11.8717453,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5696,5696,2025-09-11 05:58:11.9411817,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5697,5697,2025-09-11 05:58:11.9483883,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5698,5698,2025-09-11 05:58:11.9485096,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5699,5699,2025-09-11 05:58:11.9520467,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5700,5700,2025-09-11 05:58:12.0189271,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5701,5701,2025-09-11 05:58:12.0280631,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5702,5702,2025-09-11 05:58:12.0281619,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5703,5703,2025-09-11 05:58:12.0370548,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5704,5704,2025-09-11 05:58:15.4691014,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5705,5705,2025-09-11 05:58:15.4716690,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5706,5706,2025-09-11 05:58:15.4717353,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5707,5707,2025-09-11 05:58:15.4728242,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5708,5708,2025-09-11 05:58:17.2683980,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5709,5709,2025-09-11 05:58:17.2711725,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5710,5710,2025-09-11 05:58:17.2713003,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5711,5711,2025-09-11 05:58:17.2723861,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5712,5712,2025-09-11 05:58:17.3116147,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5713,5713,2025-09-11 05:58:17.3153998,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5714,5714,2025-09-11 05:58:17.3155049,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5715,5715,2025-09-11 05:58:17.3171967,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5716,5716,2025-09-11 05:58:17.3485384,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5717,5717,2025-09-11 05:58:17.3515587,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5718,5718,2025-09-11 05:58:17.3516336,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5719,5719,2025-09-11 05:58:17.3529051,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5720,5720,2025-09-11 05:58:18.9356062,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5721,5721,2025-09-11 05:58:18.9381951,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5722,5722,2025-09-11 05:58:18.9383003,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5723,5723,2025-09-11 05:58:18.9400561,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5724,5724,2025-09-11 05:58:22.4772193,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5725,5725,2025-09-11 05:58:22.4787047,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5726,5726,2025-09-11 05:58:22.4788553,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5727,5727,2025-09-11 05:58:22.4795674,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5728,5728,2025-09-11 05:58:22.5072486,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5729,5729,2025-09-11 05:58:22.5084594,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5730,5730,2025-09-11 05:58:22.5085746,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5731,5731,2025-09-11 05:58:22.5093073,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5732,5732,2025-09-11 05:58:22.5469095,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5733,5733,2025-09-11 05:58:22.5485453,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5734,5734,2025-09-11 05:58:22.5487276,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5735,5735,2025-09-11 05:58:22.5496765,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5736,5736,2025-09-11 05:58:27.6966158,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5737,5737,2025-09-11 05:58:27.6981834,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5738,5738,2025-09-11 05:58:27.6982404,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5739,5739,2025-09-11 05:58:27.7099436,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5740,5740,2025-09-11 05:58:27.8540522,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5741,5741,2025-09-11 05:58:27.8554024,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5742,5742,2025-09-11 05:58:27.8554867,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5743,5743,2025-09-11 05:58:27.8610134,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5744,5744,2025-09-11 05:58:27.9405192,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5745,5745,2025-09-11 05:58:27.9418024,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5746,5746,2025-09-11 05:58:27.9418864,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5747,5747,2025-09-11 05:58:27.9545416,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5748,5748,2025-09-11 05:58:33.1391190,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5749,5749,2025-09-11 05:58:33.1423196,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5750,5750,2025-09-11 05:58:33.1424319,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5751,5751,2025-09-11 05:58:33.1439171,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5752,5752,2025-09-11 05:58:33.1929263,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5753,5753,2025-09-11 05:58:33.1950211,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5754,5754,2025-09-11 05:58:33.1951236,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5755,5755,2025-09-11 05:58:33.1972336,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5756,5756,2025-09-11 05:58:33.2262925,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5757,5757,2025-09-11 05:58:33.2273936,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5758,5758,2025-09-11 05:58:33.2274449,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5759,5759,2025-09-11 05:58:33.2287168,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5760,5760,2025-09-11 05:58:38.3531310,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5761,5761,2025-09-11 05:58:38.3665020,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5762,5762,2025-09-11 05:58:38.3666457,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5763,5763,2025-09-11 05:58:38.3704456,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5764,5764,2025-09-11 05:58:38.4182723,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5765,5765,2025-09-11 05:58:38.4198748,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5766,5766,2025-09-11 05:58:38.4199551,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5767,5767,2025-09-11 05:58:38.4212079,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5768,5768,2025-09-11 05:58:38.4500312,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5769,5769,2025-09-11 05:58:38.4515337,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5770,5770,2025-09-11 05:58:38.4516203,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5771,5771,2025-09-11 05:58:38.4526379,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5772,5772,2025-09-11 05:58:43.6649404,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5773,5773,2025-09-11 05:58:43.6667497,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5774,5774,2025-09-11 05:58:43.6668194,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5775,5775,2025-09-11 05:58:43.6674963,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5776,5776,2025-09-11 05:58:43.7086573,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5777,5777,2025-09-11 05:58:43.7099883,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5778,5778,2025-09-11 05:58:43.7100392,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5779,5779,2025-09-11 05:58:43.7116401,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5780,5780,2025-09-11 05:58:43.7559857,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5781,5781,2025-09-11 05:58:43.7574982,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5782,5782,2025-09-11 05:58:43.7575600,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5783,5783,2025-09-11 05:58:43.7633767,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5784,5784,2025-09-11 05:58:48.8878595,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5785,5785,2025-09-11 05:58:48.8914547,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5786,5786,2025-09-11 05:58:48.8915490,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5787,5787,2025-09-11 05:58:48.8935584,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5788,5788,2025-09-11 05:58:48.9395170,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5789,5789,2025-09-11 05:58:48.9409558,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5790,5790,2025-09-11 05:58:48.9410131,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5791,5791,2025-09-11 05:58:48.9420848,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5792,5792,2025-09-11 05:58:48.9778397,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5793,5793,2025-09-11 05:58:48.9802019,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5794,5794,2025-09-11 05:58:48.9802878,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5795,5795,2025-09-11 05:58:48.9818274,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5796,5796,2025-09-11 05:58:54.0960905,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5797,5797,2025-09-11 05:58:54.0996676,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5798,5798,2025-09-11 05:58:54.0997697,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5799,5799,2025-09-11 05:58:54.1016700,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5800,5800,2025-09-11 05:58:54.1370485,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5801,5801,2025-09-11 05:58:54.1386289,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5802,5802,2025-09-11 05:58:54.1386810,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5803,5803,2025-09-11 05:58:54.1398786,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5804,5804,2025-09-11 05:58:54.1690645,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,1,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5805,5805,2025-09-11 05:58:54.1706309,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5806,5806,2025-09-11 05:58:54.1707099,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5807,5807,2025-09-11 05:58:54.1717788,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5808,5808,2025-09-11 05:58:59.3244373,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5809,5809,2025-09-11 05:58:59.3260964,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5810,5810,2025-09-11 05:58:59.3261552,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5811,5811,2025-09-11 05:58:59.3271933,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5812,5812,2025-09-11 05:58:59.3754773,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5813,5813,2025-09-11 05:58:59.3769950,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5814,5814,2025-09-11 05:58:59.3770550,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5815,5815,2025-09-11 05:58:59.3783494,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5816,5816,2025-09-11 05:58:59.4024808,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5817,5817,2025-09-11 05:58:59.4037753,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5818,5818,2025-09-11 05:58:59.4038448,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5819,5819,2025-09-11 05:58:59.4057722,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5820,5820,2025-09-11 05:59:04.5214153,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5821,5821,2025-09-11 05:59:04.5230954,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5822,5822,2025-09-11 05:59:04.5231564,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5823,5823,2025-09-11 05:59:04.5252676,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5824,5824,2025-09-11 05:59:04.5562026,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5825,5825,2025-09-11 05:59:04.5581227,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5826,5826,2025-09-11 05:59:04.5581785,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5827,5827,2025-09-11 05:59:04.5602814,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5828,5828,2025-09-11 05:59:04.5927758,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5829,5829,2025-09-11 05:59:04.5945289,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5830,5830,2025-09-11 05:59:04.5946071,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5831,5831,2025-09-11 05:59:04.5966064,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5832,5832,2025-09-11 05:59:09.7430041,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5833,5833,2025-09-11 05:59:09.7471490,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5834,5834,2025-09-11 05:59:09.7476441,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5835,5835,2025-09-11 05:59:09.7489454,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5836,5836,2025-09-11 05:59:09.8122568,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5837,5837,2025-09-11 05:59:09.8135276,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5838,5838,2025-09-11 05:59:09.8136331,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5839,5839,2025-09-11 05:59:09.8145328,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5840,5840,2025-09-11 05:59:09.8530088,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5841,5841,2025-09-11 05:59:09.8549194,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5842,5842,2025-09-11 05:59:09.8549803,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5843,5843,2025-09-11 05:59:09.8557552,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5844,5844,2025-09-11 05:59:10.9548366,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5845,5845,2025-09-11 05:59:10.9561628,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5846,5846,2025-09-11 05:59:10.9562144,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5847,5847,2025-09-11 05:59:10.9579439,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5848,5848,2025-09-11 05:59:14.9941048,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5849,5849,2025-09-11 05:59:14.9960105,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5850,5850,2025-09-11 05:59:14.9960751,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5851,5851,2025-09-11 05:59:14.9981000,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5852,5852,2025-09-11 05:59:15.0249036,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5853,5853,2025-09-11 05:59:15.0280499,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5854,5854,2025-09-11 05:59:15.0281616,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5855,5855,2025-09-11 05:59:15.0297121,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5856,5856,2025-09-11 05:59:15.0697089,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5857,5857,2025-09-11 05:59:15.0723050,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5858,5858,2025-09-11 05:59:15.0724019,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5859,5859,2025-09-11 05:59:15.0746219,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5860,5860,2025-09-11 05:59:20.1825516,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5861,5861,2025-09-11 05:59:20.1843487,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5862,5862,2025-09-11 05:59:20.1844360,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5863,5863,2025-09-11 05:59:20.1857634,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5864,5864,2025-09-11 05:59:20.2334841,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5865,5865,2025-09-11 05:59:20.2349591,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5866,5866,2025-09-11 05:59:20.2350164,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5867,5867,2025-09-11 05:59:20.2379864,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5868,5868,2025-09-11 05:59:20.2730739,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5869,5869,2025-09-11 05:59:20.2743980,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5870,5870,2025-09-11 05:59:20.2745155,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5871,5871,2025-09-11 05:59:20.2783439,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5872,5872,2025-09-11 05:59:25.4204924,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5873,5873,2025-09-11 05:59:25.4224295,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5874,5874,2025-09-11 05:59:25.4225799,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5875,5875,2025-09-11 05:59:25.4235239,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5876,5876,2025-09-11 05:59:25.4561178,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5877,5877,2025-09-11 05:59:25.4579014,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5878,5878,2025-09-11 05:59:25.4603870,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5879,5879,2025-09-11 05:59:25.4679125,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5880,5880,2025-09-11 05:59:25.5560247,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5881,5881,2025-09-11 05:59:25.5580116,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5882,5882,2025-09-11 05:59:25.5581022,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5883,5883,2025-09-11 05:59:25.5603492,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5884,5884,2025-09-11 05:59:30.7017682,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5885,5885,2025-09-11 05:59:30.7033958,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5886,5886,2025-09-11 05:59:30.7034793,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5887,5887,2025-09-11 05:59:30.7044637,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5888,5888,2025-09-11 05:59:30.7387040,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5889,5889,2025-09-11 05:59:30.7400579,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5890,5890,2025-09-11 05:59:30.7401336,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5891,5891,2025-09-11 05:59:30.7421956,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5892,5892,2025-09-11 05:59:30.7764747,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5893,5893,2025-09-11 05:59:30.7783501,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5894,5894,2025-09-11 05:59:30.7784310,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5895,5895,2025-09-11 05:59:30.7803384,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5896,5896,2025-09-11 05:59:35.9558137,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5897,5897,2025-09-11 05:59:35.9587702,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5898,5898,2025-09-11 05:59:35.9590691,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5899,5899,2025-09-11 05:59:35.9632613,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5900,5900,2025-09-11 05:59:36.0911691,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5901,5901,2025-09-11 05:59:36.0948789,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5902,5902,2025-09-11 05:59:36.0953953,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5903,5903,2025-09-11 05:59:36.0969748,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5904,5904,2025-09-11 05:59:36.1583685,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5905,5905,2025-09-11 05:59:36.1607840,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5906,5906,2025-09-11 05:59:36.1611407,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5907,5907,2025-09-11 05:59:36.1624579,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5908,5908,2025-09-11 05:59:41.4686701,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5909,5909,2025-09-11 05:59:41.4700510,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5910,5910,2025-09-11 05:59:41.4701670,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5911,5911,2025-09-11 05:59:41.4711821,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5912,5912,2025-09-11 05:59:41.5711717,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5913,5913,2025-09-11 05:59:41.5735354,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5914,5914,2025-09-11 05:59:41.5741055,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5915,5915,2025-09-11 05:59:41.5769470,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,2,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5916,5916,2025-09-11 05:59:41.6488606,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5917,5917,2025-09-11 05:59:41.6512589,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5918,5918,2025-09-11 05:59:41.6533031,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5919,5919,2025-09-11 05:59:41.6571189,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5920,5920,2025-09-11 05:59:48.8759288,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5921,5921,2025-09-11 05:59:48.8786964,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5922,5922,2025-09-11 05:59:48.8788032,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5923,5923,2025-09-11 05:59:48.8818772,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5924,5924,2025-09-11 05:59:49.1226617,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5925,5925,2025-09-11 05:59:49.1239196,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5926,5926,2025-09-11 05:59:49.1240015,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5927,5927,2025-09-11 05:59:49.1247003,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5928,5928,2025-09-11 05:59:49.1560845,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5929,5929,2025-09-11 05:59:49.1576306,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5930,5930,2025-09-11 05:59:49.1577305,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5931,5931,2025-09-11 05:59:49.1596370,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5932,5932,2025-09-11 05:59:51.0299294,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
5933,5933,2025-09-11 05:59:51.0299390,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
5934,5934,2025-09-11 05:59:51.1668999,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
5935,5935,2025-09-11 05:59:51.1669079,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
5936,5936,2025-09-11 05:59:51.2697626,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0x1EEC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1EEC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
5937,5937,2025-09-11 05:59:51.2757604,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
5938,5938,2025-09-11 05:59:51.2757682,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
5939,5939,2025-09-11 05:59:51.3058734,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0x1EEC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1EEC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
5940,5940,2025-09-11 05:59:51.3267247,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0x1EEC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1EEC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
5941,5941,2025-09-11 05:59:51.3515627,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0x1EEC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1EEC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
5942,5942,2025-09-11 05:59:54.3951839,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5943,5943,2025-09-11 05:59:54.3975170,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5944,5944,2025-09-11 05:59:54.3978711,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5945,5945,2025-09-11 05:59:54.4010970,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5946,5946,2025-09-11 05:59:54.5855374,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5947,5947,2025-09-11 05:59:54.5879054,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5948,5948,2025-09-11 05:59:54.5880166,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5949,5949,2025-09-11 05:59:54.6226639,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5950,5950,2025-09-11 05:59:55.1996569,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5951,5951,2025-09-11 05:59:55.2010318,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5952,5952,2025-09-11 05:59:55.2017431,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5953,5953,2025-09-11 05:59:55.3181537,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5954,5954,2025-09-11 06:00:03.2409777,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5955,5955,2025-09-11 06:00:03.2447196,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5956,5956,2025-09-11 06:00:03.2448087,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5957,5957,2025-09-11 06:00:03.3048784,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5958,5958,2025-09-11 06:00:03.5323073,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5959,5959,2025-09-11 06:00:03.5344932,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5960,5960,2025-09-11 06:00:03.5345593,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5961,5961,2025-09-11 06:00:03.5383440,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5962,5962,2025-09-11 06:00:03.5405252,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5963,5963,2025-09-11 06:00:03.5408390,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5964,5964,2025-09-11 06:00:03.5439282,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5965,5965,2025-09-11 06:00:03.5527254,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5966,5966,2025-09-11 06:00:03.5549740,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5967,5967,2025-09-11 06:00:03.5604658,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5968,5968,2025-09-11 06:00:03.5605507,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5969,5969,2025-09-11 06:00:03.5798993,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5970,5970,2025-09-11 06:00:03.5819570,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5971,5971,2025-09-11 06:00:03.5820232,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5972,5972,2025-09-11 06:00:03.5828527,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5973,5973,2025-09-11 06:00:03.5903371,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5974,5974,2025-09-11 06:00:03.5910517,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5975,5975,2025-09-11 06:00:03.5937983,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5976,5976,2025-09-11 06:00:03.5938594,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5977,5977,2025-09-11 06:00:03.6098577,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5978,5978,2025-09-11 06:00:03.6483878,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5979,5979,2025-09-11 06:00:03.6501859,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5980,5980,2025-09-11 06:00:03.6502522,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5981,5981,2025-09-11 06:00:03.6823620,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5982,5982,2025-09-11 06:00:03.6840030,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5983,5983,2025-09-11 06:00:03.6840661,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5984,5984,2025-09-11 06:00:03.6874993,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5985,5985,2025-09-11 06:00:03.6889419,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5986,5986,2025-09-11 06:00:03.6890056,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5987,5987,2025-09-11 06:00:03.6893859,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5988,5988,2025-09-11 06:00:03.6904037,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5989,5989,2025-09-11 06:00:03.6904616,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5990,5990,2025-09-11 06:00:03.6907772,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5991,5991,2025-09-11 06:00:03.6967079,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5992,5992,2025-09-11 06:00:03.6987595,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5993,5993,2025-09-11 06:00:03.7000909,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5994,5994,2025-09-11 06:00:03.8167792,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5995,5995,2025-09-11 06:00:03.8190161,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5996,5996,2025-09-11 06:00:03.8190869,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5997,5997,2025-09-11 06:00:03.8419075,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5998,5998,2025-09-11 06:00:03.8754772,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
5999,5999,2025-09-11 06:00:03.8792546,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6000,6000,2025-09-11 06:00:03.8793852,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6001,6001,2025-09-11 06:00:03.8898469,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6002,6002,2025-09-11 06:00:03.9149607,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6003,6003,2025-09-11 06:00:03.9175699,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6004,6004,2025-09-11 06:00:03.9176528,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6005,6005,2025-09-11 06:00:03.9297571,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6006,6006,2025-09-11 06:00:03.9588682,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6007,6007,2025-09-11 06:00:03.9601059,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6008,6008,2025-09-11 06:00:03.9601690,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6009,6009,2025-09-11 06:00:03.9654497,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,8168,DESKTOP-139UKNF,3,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6010,6010,2025-09-11 06:00:04.7375356,5382,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,3,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""SchemaFriendlyName"",""#text"":""NGC Local Accoount Logon Vault Resource Schema""},{""@Name"":""Schema"",""#text"":""1d4350a3-330d-4af9-b3ff-a927a45998ac""},{""@Name"":""Resource"",""#text"":""NGC Local Accoount Logon Vault Resource""},{""@Name"":""Identity"",""#text"":""01050000000000051500000077BEB99F522F992BAF93C646E9030000""},{""@Name"":""PackageSid""},{""@Name"":""Flags"",""#text"":""0""},{""@Name"":""ReturnCode"",""#text"":""1168""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:56.9150331""},{""@Name"":""ClientProcessId"",""#text"":""4488""}]}}"
6011,6011,2025-09-11 06:00:06.7078730,5382,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""SchemaFriendlyName"",""#text"":""NGC Local Accoount Logon Vault Resource Schema""},{""@Name"":""Schema"",""#text"":""1d4350a3-330d-4af9-b3ff-a927a45998ac""},{""@Name"":""Resource"",""#text"":""NGC Local Accoount Logon Vault Resource""},{""@Name"":""Identity"",""#text"":""01050000000000051500000077BEB99F522F992BAF93C646E9030000""},{""@Name"":""PackageSid""},{""@Name"":""Flags"",""#text"":""0""},{""@Name"":""ReturnCode"",""#text"":""1168""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:56.9150331""},{""@Name"":""ClientProcessId"",""#text"":""4488""}]}}"
6012,6012,2025-09-11 06:00:06.9604247,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6013,6013,2025-09-11 06:00:06.9608728,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6014,6014,2025-09-11 06:00:06.9612839,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6015,6015,2025-09-11 06:00:06.9617445,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6016,6016,2025-09-11 06:00:06.9681811,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,3,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6017,6017,2025-09-11 06:00:06.9694418,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6018,6018,2025-09-11 06:00:06.9718458,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6019,6019,2025-09-11 06:00:06.9738758,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6020,6020,2025-09-11 06:00:09.1018937,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6021,6021,2025-09-11 06:00:09.1060147,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6022,6022,2025-09-11 06:00:09.1060780,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6023,6023,2025-09-11 06:00:09.1087129,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6024,6024,2025-09-11 06:00:09.1917597,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6025,6025,2025-09-11 06:00:09.1933776,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6026,6026,2025-09-11 06:00:09.1934535,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6027,6027,2025-09-11 06:00:09.1946181,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6028,6028,2025-09-11 06:00:09.2363093,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6029,6029,2025-09-11 06:00:09.2375639,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6030,6030,2025-09-11 06:00:09.2376298,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6031,6031,2025-09-11 06:00:09.2382433,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6032,6032,2025-09-11 06:00:09.2883504,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6033,6033,2025-09-11 06:00:09.2883577,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6034,6034,2025-09-11 06:00:12.8671211,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6035,6035,2025-09-11 06:00:12.8686884,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6036,6036,2025-09-11 06:00:12.8687516,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6037,6037,2025-09-11 06:00:13.4178407,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6038,6038,2025-09-11 06:00:13.5854509,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6039,6039,2025-09-11 06:00:13.5887707,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6040,6040,2025-09-11 06:00:13.5888373,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6041,6041,2025-09-11 06:00:13.6129988,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6042,6042,2025-09-11 06:00:14.4636120,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6043,6043,2025-09-11 06:00:14.4671094,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6044,6044,2025-09-11 06:00:14.4672081,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6045,6045,2025-09-11 06:00:14.4695523,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6046,6046,2025-09-11 06:00:14.4972975,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6047,6047,2025-09-11 06:00:14.4986093,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6048,6048,2025-09-11 06:00:14.4986719,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6049,6049,2025-09-11 06:00:14.5024927,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6050,6050,2025-09-11 06:00:14.5501289,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6051,6051,2025-09-11 06:00:14.5525787,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6052,6052,2025-09-11 06:00:14.5526553,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6053,6053,2025-09-11 06:00:14.5533324,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6054,6054,2025-09-11 06:00:14.5688702,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6055,6055,2025-09-11 06:00:14.5734154,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6056,6056,2025-09-11 06:00:14.5734905,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6057,6057,2025-09-11 06:00:14.5793536,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6058,6058,2025-09-11 06:00:14.6548549,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6059,6059,2025-09-11 06:00:14.6577199,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6060,6060,2025-09-11 06:00:14.6582200,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6061,6061,2025-09-11 06:00:14.6602466,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6062,6062,2025-09-11 06:00:16.1788322,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=02cyvnhghhsuvcua,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02cyvnhghhsuvcua""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6063,6063,2025-09-11 06:00:16.1788970,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=02cyvnhghhsuvcua;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=02cyvnhghhsuvcua;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6064,6064,2025-09-11 06:00:16.1794176,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=02cyvnhghhsuvcua;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=02cyvnhghhsuvcua;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6065,6065,2025-09-11 06:00:16.6650503,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=02cyvnhghhsuvcua,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02cyvnhghhsuvcua""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6066,6066,2025-09-11 06:00:16.6658260,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=02cyvnhghhsuvcua,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02cyvnhghhsuvcua""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6067,6067,2025-09-11 06:00:16.8377200,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=02cyvnhghhsuvcua,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02cyvnhghhsuvcua""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6068,6068,2025-09-11 06:00:16.8380791,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=02cyvnhghhsuvcua,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02cyvnhghhsuvcua""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6069,6069,2025-09-11 06:00:16.8466006,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6070,6070,2025-09-11 06:00:16.8466065,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6071,6071,2025-09-11 06:00:23.6815130,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6072,6072,2025-09-11 06:00:23.6818106,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6073,6073,2025-09-11 06:00:23.6820904,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6074,6074,2025-09-11 06:00:23.6823867,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x1D80,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1D80""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6075,6075,2025-09-11 06:00:27.1342311,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6076,6076,2025-09-11 06:00:27.1355570,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6077,6077,2025-09-11 06:00:27.1356405,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6078,6078,2025-09-11 06:00:27.1386733,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6079,6079,2025-09-11 06:00:27.1699492,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6080,6080,2025-09-11 06:00:27.1739785,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6081,6081,2025-09-11 06:00:27.1740426,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6082,6082,2025-09-11 06:00:27.1755140,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6083,6083,2025-09-11 06:00:27.3505790,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6084,6084,2025-09-11 06:00:27.3505888,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6085,6085,2025-09-11 06:00:28.9289466,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6086,6086,2025-09-11 06:00:28.9299513,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6087,6087,2025-09-11 06:00:28.9300019,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6088,6088,2025-09-11 06:00:28.9305444,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6089,6089,2025-09-11 06:00:28.9512667,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6090,6090,2025-09-11 06:00:28.9523743,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6091,6091,2025-09-11 06:00:28.9524235,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6092,6092,2025-09-11 06:00:28.9528956,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6093,6093,2025-09-11 06:00:28.9656292,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6094,6094,2025-09-11 06:00:28.9666837,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6095,6095,2025-09-11 06:00:28.9667283,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6096,6096,2025-09-11 06:00:28.9671600,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6097,6097,2025-09-11 06:00:28.9877830,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6098,6098,2025-09-11 06:00:28.9887613,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6099,6099,2025-09-11 06:00:28.9888075,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6100,6100,2025-09-11 06:00:28.9892561,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6101,6101,2025-09-11 06:00:29.0048970,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6102,6102,2025-09-11 06:00:29.0062251,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6103,6103,2025-09-11 06:00:29.0062745,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6104,6104,2025-09-11 06:00:29.0100025,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6105,6105,2025-09-11 06:00:29.0262980,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6106,6106,2025-09-11 06:00:29.0272186,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6107,6107,2025-09-11 06:00:29.0272949,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6108,6108,2025-09-11 06:00:29.0278420,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6109,6109,2025-09-11 06:00:29.0441882,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6110,6110,2025-09-11 06:00:29.0450397,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6111,6111,2025-09-11 06:00:29.0450824,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6112,6112,2025-09-11 06:00:29.0455718,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6113,6113,2025-09-11 06:00:29.0920324,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6114,6114,2025-09-11 06:00:29.0944612,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6115,6115,2025-09-11 06:00:29.0945380,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6116,6116,2025-09-11 06:00:29.0965754,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6117,6117,2025-09-11 06:00:29.1296469,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6118,6118,2025-09-11 06:00:29.1306753,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6119,6119,2025-09-11 06:00:29.1307214,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,4,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6120,6120,2025-09-11 06:00:29.1323202,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6121,6121,2025-09-11 06:00:29.1609810,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6122,6122,2025-09-11 06:00:29.1621503,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6123,6123,2025-09-11 06:00:29.1622008,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6124,6124,2025-09-11 06:00:29.1628940,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6125,6125,2025-09-11 06:00:29.2051144,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6126,6126,2025-09-11 06:00:29.2062276,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6127,6127,2025-09-11 06:00:29.2062801,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6128,6128,2025-09-11 06:00:29.2071551,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6129,6129,2025-09-11 06:00:29.2611692,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6130,6130,2025-09-11 06:00:29.2624531,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6131,6131,2025-09-11 06:00:29.2627221,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6132,6132,2025-09-11 06:00:29.2660890,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6133,6133,2025-09-11 06:00:34.3509896,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6134,6134,2025-09-11 06:00:34.3523373,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6135,6135,2025-09-11 06:00:34.3523846,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6136,6136,2025-09-11 06:00:34.3534131,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6137,6137,2025-09-11 06:00:34.4520298,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6138,6138,2025-09-11 06:00:34.4533642,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6139,6139,2025-09-11 06:00:34.4534140,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6140,6140,2025-09-11 06:00:34.4543121,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6141,6141,2025-09-11 06:00:34.4808180,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6142,6142,2025-09-11 06:00:34.4820951,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6143,6143,2025-09-11 06:00:34.4821410,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6144,6144,2025-09-11 06:00:34.4831052,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6145,6145,2025-09-11 06:00:34.5260566,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6146,6146,2025-09-11 06:00:34.5272509,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6147,6147,2025-09-11 06:00:34.5273084,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6148,6148,2025-09-11 06:00:34.5280632,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6149,6149,2025-09-11 06:00:34.5682038,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6150,6150,2025-09-11 06:00:34.5691960,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6151,6151,2025-09-11 06:00:34.5692435,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6152,6152,2025-09-11 06:00:34.5698154,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6153,6153,2025-09-11 06:00:47.0956172,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CF3F,CountOfCredentialsReturned: 2,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetName""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""2""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:00:46.9431757""},{""@Name"":""ClientProcessId"",""#text"":""6420""}]}}"
6154,6154,2025-09-11 06:00:50.6994444,4625,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Failed logon,DESKTOP-139UKNF\resea,DESKTOP-139UKNF (::1),Target: DESKTOP-139UKNF\AF107User,LogonType 2,FailureReason1: the cause is either a bad username or authentication information,FailureReason2: user name does not exist,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit failure,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""Status"",""#text"":""0xC000006D""},{""@Name"":""FailureReason"",""#text"":""%%2313""},{""@Name"":""SubStatus"",""#text"":""0xC0000064""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""seclogo""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x152C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""::1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
6155,6155,2025-09-11 06:00:56.3804110,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6156,6156,2025-09-11 06:00:56.3820745,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6157,6157,2025-09-11 06:00:56.3821278,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6158,6158,2025-09-11 06:00:56.3833536,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6159,6159,2025-09-11 06:00:57.8379331,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6160,6160,2025-09-11 06:00:57.8379430,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6161,6161,2025-09-11 06:01:02.2629258,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x1C14,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1C14""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6162,6162,2025-09-11 06:01:03.7017068,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6163,6163,2025-09-11 06:01:03.7033869,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6164,6164,2025-09-11 06:01:03.7034405,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6165,6165,2025-09-11 06:01:03.7044795,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6166,6166,2025-09-11 06:01:11.0600119,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6167,6167,2025-09-11 06:01:11.0634719,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6168,6168,2025-09-11 06:01:11.0635361,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6169,6169,2025-09-11 06:01:11.0650658,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6170,6170,2025-09-11 06:01:58.9940601,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CF3F,CountOfCredentialsReturned: 2,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetName""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""2""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:01:58.9260179""},{""@Name"":""ClientProcessId"",""#text"":""224""}]}}"
6171,6171,2025-09-11 06:02:01.7810318,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CF3F,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6172,6172,2025-09-11 06:02:01.7827019,4625,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Failed logon,DESKTOP-139UKNF\resea,- (::1),Target: -\-,LogonType 2,FailureReason1: the cause is either a bad username or authentication information,FailureReason2: user name is correct but the password is wrong,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit failure,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""Status"",""#text"":""0xC000006D""},{""@Name"":""FailureReason"",""#text"":""%%2313""},{""@Name"":""SubStatus"",""#text"":""0xC000006A""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""seclogo""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x152C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""::1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
6173,6173,2025-09-11 06:02:25.2772973,4728,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A member was added to a security-enabled global group,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\None (S-1-5-21-2679750263-731459410-1187419055-513),Member: -,MemberSid: S-1-5-21-2679750263-731459410-1187419055-1002,SubjectLogonId: 0x3CF3F,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""MemberName"",""#text"":""-""},{""@Name"":""MemberSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""TargetUserName"",""#text"":""None""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-513""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""PrivilegeList"",""#text"":""-""}]}}"
6174,6174,2025-09-11 06:02:25.2814627,4720,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A new account was created,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""AF107User""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""%%1793""},{""@Name"":""HomePath"",""#text"":""%%1793""},{""@Name"":""ScriptPath"",""#text"":""%%1793""},{""@Name"":""ProfilePath"",""#text"":""%%1793""},{""@Name"":""UserWorkstations"",""#text"":""%%1793""},{""@Name"":""PasswordLastSet"",""#text"":""%%1794""},{""@Name"":""AccountExpires"",""#text"":""%%1794""},{""@Name"":""PrimaryGroupId"",""#text"":""513""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""0x0""},{""@Name"":""NewUacValue"",""#text"":""0x15""},{""@Name"":""UserAccountControl"",""#text"":"", %%2080, %%2082, %%2084""},{""@Name"":""UserParameters"",""#text"":""%%1793""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""%%1797""}]}}"
6175,6175,2025-09-11 06:02:25.3052276,4722,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A user account was enabled,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3CF3F,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""}]}}"
6176,6176,2025-09-11 06:02:25.3054394,4738,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A user account was changed,DESKTOP-139UKNF\resea,,Target: DESKTOP-139UKNF\AF107User,"Changed Attribute SamAccountName: AF107User DisplayName: %%1793 UserPrincipalName: - HomeDirectory: %%1793 HomePath: %%1793 ScriptPath: %%1793 ProfilePath: %%1793 UserWorkstations: %%1793 PasswordLastSet: 9/11/2025 2:02:25 AM AccountExpires: %%1794 PrimaryGroupId: 513 AllowedToDelegateTo: - OldUacValue: 0x15 NewUacValue: 0x10 UserAccountControl: , %%2048, %%2050 UserParameters: - SidHistory: - LogonHours: %%1797",,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""Dummy"",""#text"":""-""},{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""AF107User""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""%%1793""},{""@Name"":""HomePath"",""#text"":""%%1793""},{""@Name"":""ScriptPath"",""#text"":""%%1793""},{""@Name"":""ProfilePath"",""#text"":""%%1793""},{""@Name"":""UserWorkstations"",""#text"":""%%1793""},{""@Name"":""PasswordLastSet"",""#text"":""9/11/2025 2:02:25 AM""},{""@Name"":""AccountExpires"",""#text"":""%%1794""},{""@Name"":""PrimaryGroupId"",""#text"":""513""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""0x15""},{""@Name"":""NewUacValue"",""#text"":""0x10""},{""@Name"":""UserAccountControl"",""#text"":"", %%2048, %%2050""},{""@Name"":""UserParameters"",""#text"":""-""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""%%1797""}]}}"
6177,6177,2025-09-11 06:02:25.3054557,4724,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,An attempt was made to reset an account's password,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3CF3F,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""}]}}"
6178,6178,2025-09-11 06:02:25.3226211,4732,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A member was added to a security-enabled local group,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: Builtin\Users (S-1-5-32-545),SubjectLogonId: 0x3CF3F,MemberName: -,MemberSid: S-1-5-21-2679750263-731459410-1187419055-1002,PrivilegeList: -,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""MemberName"",""#text"":""-""},{""@Name"":""MemberSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""TargetUserName"",""#text"":""Users""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-545""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""PrivilegeList"",""#text"":""-""}]}}"
6179,6179,2025-09-11 06:02:34.7100088,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CF3F,CountOfCredentialsReturned: 2,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetName""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""2""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:02:34.6518237""},{""@Name"":""ClientProcessId"",""#text"":""5304""}]}}"
6180,6180,2025-09-11 06:02:40.9589297,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A logon was attempted using explicit credentials,DESKTOP-139UKNF\resea,::1:0,Target: DESKTOP-139UKNF\AF107User,TargetServerName: localhost,PID: 0x152C,TargetInfo: localhost,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x152C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""::1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
6181,6181,2025-09-11 06:02:40.9589563,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Successful logon,DESKTOP-139UKNF\resea,DESKTOP-139UKNF (::1),Target: DESKTOP-139UKNF\AF107User,LogonType 2,LogonId: 0x6413BF,AuthenticationPackageName: Negotiate,LogonProcessName: seclogo,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CF3F""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6413BF""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""seclogo""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x152C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""::1""},{""@Name"":""IpPort"",""#text"":""0""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6182,6182,2025-09-11 06:02:41.5567320,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x598,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x598""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6183,6183,2025-09-11 06:03:03.7654158,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6184,6184,2025-09-11 06:03:03.7672564,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6185,6185,2025-09-11 06:03:03.7673115,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6186,6186,2025-09-11 06:03:03.7685139,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6187,6187,2025-09-11 06:03:47.7959324,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6188,6188,2025-09-11 06:03:47.7982659,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6189,6189,2025-09-11 06:03:47.7983312,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6190,6190,2025-09-11 06:03:47.7996157,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6191,6191,2025-09-11 06:03:48.9058488,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6192,6192,2025-09-11 06:03:48.9058550,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6193,6193,2025-09-11 06:03:52.9941872,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6194,6194,2025-09-11 06:03:52.9941933,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6195,6195,2025-09-11 06:03:53.0138380,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6196,6196,2025-09-11 06:03:53.0142173,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6197,6197,2025-09-11 06:03:53.0145495,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6198,6198,2025-09-11 06:03:53.0148553,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6199,6199,2025-09-11 06:03:53.0151692,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6200,6200,2025-09-11 06:03:53.0192621,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6201,6201,2025-09-11 06:03:53.0196529,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6202,6202,2025-09-11 06:03:53.0199969,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6203,6203,2025-09-11 06:03:53.0210759,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6204,6204,2025-09-11 06:03:53.0218701,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,A user's local group membership was enumerated,DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3CFF6,CallerProcessName: C:\Windows\System32\taskhostw.exe,CallerProcessId: 0x14B4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""CallerProcessId"",""#text"":""0x14B4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\taskhostw.exe""}]}}"
6205,6205,2025-09-11 06:03:53.0836983,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6206,6206,2025-09-11 06:03:53.0849669,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6207,6207,2025-09-11 06:03:53.0850188,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6208,6208,2025-09-11 06:03:53.0915767,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6209,6209,2025-09-11 06:06:18.0912996,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6210,6210,2025-09-11 06:06:18.1170666,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,5,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6211,6211,2025-09-11 06:06:18.1178012,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6212,6212,2025-09-11 06:06:18.1212420,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6213,6213,2025-09-11 06:07:04.0202281,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6214,6214,2025-09-11 06:07:04.0256110,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,576,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6215,6215,2025-09-11 06:07:04.0257464,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 0,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6216,6216,2025-09-11 06:07:04.0281858,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x3CFF6,CountOfCredentialsReturned: 1,,ActivityID: ad0e55ef-22df-0000-4b56-0eaddf22dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x3CFF6""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:43.0115970""},{""@Name"":""ClientProcessId"",""#text"":""288""}]}}"
6217,6217,2025-09-11 06:07:15.8291036,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\LogonUI.exe,CallerProcessId: 0x1CF4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,1128,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1CF4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\LogonUI.exe""}]}}"
6218,6218,2025-09-11 06:07:15.8939513,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\LogonUI.exe,CallerProcessId: 0x1CF4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,544,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x1CF4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\LogonUI.exe""}]}}"
6219,6219,2025-09-11 06:07:16.1749258,5382,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""SchemaFriendlyName"",""#text"":""NGC Local Accoount Logon Vault Resource Schema""},{""@Name"":""Schema"",""#text"":""1d4350a3-330d-4af9-b3ff-a927a45998ac""},{""@Name"":""Resource"",""#text"":""NGC Local Accoount Logon Vault Resource""},{""@Name"":""Identity"",""#text"":""01050000000000051500000077BEB99F522F992BAF93C646EA030000""},{""@Name"":""PackageSid""},{""@Name"":""Flags"",""#text"":""0""},{""@Name"":""ReturnCode"",""#text"":""1168""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 05:48:56.9150331""},{""@Name"":""ClientProcessId"",""#text"":""4488""}]}}"
6220,6220,2025-09-11 06:07:23.1271137,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4620""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 05:48:57.2680963""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
6221,6221,2025-09-11 06:07:23.1307633,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,684,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4620""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 05:48:57.2680963""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
6222,6222,2025-09-11 06:07:23.1622385,4738,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,A user account was changed,WORKGROUP\DESKTOP-139UKNF$,,Target: DESKTOP-139UKNF\resea,Changed Attribute SamAccountName: - DisplayName: %%1793 UserPrincipalName: - HomeDirectory: - HomePath: - ScriptPath: - ProfilePath: - UserWorkstations: - PasswordLastSet: - AccountExpires: - PrimaryGroupId: - AllowedToDelegateTo: - OldUacValue: - NewUacValue: - UserAccountControl: - UserParameters: - SidHistory: - LogonHours: -,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,2192,"{""EventData"":{""Data"":[{""@Name"":""Dummy"",""#text"":""-""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""-""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""-""},{""@Name"":""HomePath"",""#text"":""-""},{""@Name"":""ScriptPath"",""#text"":""-""},{""@Name"":""ProfilePath"",""#text"":""-""},{""@Name"":""UserWorkstations"",""#text"":""-""},{""@Name"":""PasswordLastSet"",""#text"":""-""},{""@Name"":""AccountExpires"",""#text"":""-""},{""@Name"":""PrimaryGroupId"",""#text"":""-""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""-""},{""@Name"":""NewUacValue"",""#text"":""-""},{""@Name"":""UserAccountControl"",""#text"":""-""},{""@Name"":""UserParameters"",""#text"":""-""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""-""}]}}"
6223,6223,2025-09-11 06:07:23.1665635,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,127.0.0.1:0,Target: MicrosoftAccount\researchaf@outlook.com,TargetServerName: localhost,PID: 0x6E0,TargetInfo: localhost,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x6E0""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
6224,6224,2025-09-11 06:07:23.1665947,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (127.0.0.1),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 11,LogonId: 0x6B9963,AuthenticationPackageName: Negotiate,"LogonProcessName: User32 ",,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x6B9963""},{""@Name"":""LogonType"",""#text"":""11""},{""@Name"":""LogonProcessName"",""#text"":""User32 ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x6E0""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x6B99AB""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6225,6225,2025-09-11 06:07:23.1666136,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (127.0.0.1),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 11,LogonId: 0x6B99AB,AuthenticationPackageName: Negotiate,"LogonProcessName: User32 ",,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x6B99AB""},{""@Name"":""LogonType"",""#text"":""11""},{""@Name"":""LogonProcessName"",""#text"":""User32 ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x6E0""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x6B9963""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6226,6226,2025-09-11 06:07:23.1666215,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,60,DESKTOP-139UKNF,6,,Administrative logon,MicrosoftAccount\researchaf@outlook.com (S-1-5-21-2679750263-731459410-1187419055-1001),,"PrivilegeList: SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x6B9963,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""SubjectDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""SubjectLogonId"",""#text"":""0x6B9963""},{""@Name"":""PrivilegeList"",""#text"":""SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6227,6227,2025-09-11 06:07:23.1822032,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4620""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 05:48:57.2680963""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
6228,6228,2025-09-11 06:07:23.1844223,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,624,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4620""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 05:48:57.2680963""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
6229,6229,2025-09-11 06:07:23.7771432,4738,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,6940,DESKTOP-139UKNF,6,,A user account was changed,WORKGROUP\DESKTOP-139UKNF$,,Target: DESKTOP-139UKNF\resea,Changed Attribute SamAccountName: - DisplayName: %%1793 UserPrincipalName: - HomeDirectory: - HomePath: - ScriptPath: - ProfilePath: - UserWorkstations: - PasswordLastSet: - AccountExpires: - PrimaryGroupId: - AllowedToDelegateTo: - OldUacValue: - NewUacValue: - UserAccountControl: - UserParameters: - SidHistory: - LogonHours: -,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""Dummy"",""#text"":""-""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""-""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""-""},{""@Name"":""HomePath"",""#text"":""-""},{""@Name"":""ScriptPath"",""#text"":""-""},{""@Name"":""ProfilePath"",""#text"":""-""},{""@Name"":""UserWorkstations"",""#text"":""-""},{""@Name"":""PasswordLastSet"",""#text"":""-""},{""@Name"":""AccountExpires"",""#text"":""-""},{""@Name"":""PrimaryGroupId"",""#text"":""-""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""-""},{""@Name"":""NewUacValue"",""#text"":""-""},{""@Name"":""UserAccountControl"",""#text"":""-""},{""@Name"":""UserParameters"",""#text"":""-""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""-""}]}}"
6230,6230,2025-09-11 06:07:23.7896725,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,6940,DESKTOP-139UKNF,6,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,-:-,Target: MicrosoftAccount\researchaf@outlook.com,TargetServerName: localhost,PID: 0x284,TargetInfo: localhost,,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x284""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""}]}}"
6231,6231,2025-09-11 06:07:23.7897274,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,6940,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (-),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 7,LogonId: 0x6BAAE7,AuthenticationPackageName: Negotiate,LogonProcessName: Negotiat,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x6BAAE7""},{""@Name"":""LogonType"",""#text"":""7""},{""@Name"":""LogonProcessName"",""#text"":""Negotiat""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x284""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x6BAB4E""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6232,6232,2025-09-11 06:07:23.7897573,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,6940,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (-),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 7,LogonId: 0x6BAB4E,AuthenticationPackageName: Negotiate,LogonProcessName: Negotiat,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x6BAB4E""},{""@Name"":""LogonType"",""#text"":""7""},{""@Name"":""LogonProcessName"",""#text"":""Negotiat""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x284""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x6BAAE7""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6233,6233,2025-09-11 06:07:23.7897635,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,6940,DESKTOP-139UKNF,6,,Administrative logon,MicrosoftAccount\researchaf@outlook.com (S-1-5-21-2679750263-731459410-1187419055-1001),,"PrivilegeList: SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x6BAAE7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""SubjectDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""SubjectLogonId"",""#text"":""0x6BAAE7""},{""@Name"":""PrivilegeList"",""#text"":""SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6234,6234,2025-09-11 06:07:23.7906177,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 2,LogonId: 0x6B99AB,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6B99AB""},{""@Name"":""LogonType"",""#text"":""2""}]}}"
6235,6235,2025-09-11 06:07:23.7908341,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 7,LogonId: 0x6BAB4E,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6BAB4E""},{""@Name"":""LogonType"",""#text"":""7""}]}}"
6236,6236,2025-09-11 06:07:23.7909920,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 2,LogonId: 0x6B9963,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6B9963""},{""@Name"":""LogonType"",""#text"":""2""}]}}"
6237,6237,2025-09-11 06:07:23.7910697,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 7,LogonId: 0x6BAAE7,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6BAAE7""},{""@Name"":""LogonType"",""#text"":""7""}]}}"
6238,6238,2025-09-11 06:07:39.4304110,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,An account was logged off,,,Target: DESKTOP-139UKNF\AF107User,LogonType 2,LogonId: 0x6413BF,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x6413BF""},{""@Name"":""LogonType"",""#text"":""2""}]}}"
6239,6239,2025-09-11 06:07:41.3082877,4647,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4048,DESKTOP-139UKNF,6,,User initiated logoff,Target: DESKTOP-139UKNF\resea,,,,LogonId: 0x3CFF6,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x3CFF6""}]}}"
6240,6240,2025-09-11 06:07:41.5705933,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6241,6241,2025-09-11 06:07:41.5711720,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6242,6242,2025-09-11 06:07:41.5713508,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6243,6243,2025-09-11 06:07:41.5717889,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6244,6244,2025-09-11 06:07:41.5724023,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6245,6245,2025-09-11 06:07:41.5728295,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\WDAGUtilityAccount (S-1-5-21-2679750263-731459410-1187419055-504),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x6E0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""WDAGUtilityAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-504""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x6E0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6246,6246,2025-09-11 06:07:41.6508124,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6247,6247,2025-09-11 06:07:41.6508190,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6248,6248,2025-09-11 06:07:41.7988789,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x270""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6249,6249,2025-09-11 06:07:41.7988853,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6250,6250,2025-09-11 06:07:41.8360539,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6251,6251,2025-09-11 06:07:41.8365276,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6252,6252,2025-09-11 06:07:41.8368849,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6253,6253,2025-09-11 06:07:41.8372021,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6254,6254,2025-09-11 06:07:41.8376027,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6255,6255,2025-09-11 06:07:41.8429055,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6256,6256,2025-09-11 06:07:41.8432777,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6257,6257,2025-09-11 06:07:41.8435910,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6258,6258,2025-09-11 06:07:41.8440218,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6259,6259,2025-09-11 06:07:41.8444672,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,644,4852,DESKTOP-139UKNF,6,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x19FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x19FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6260,6260,2025-09-11 06:07:43.8802368,1100,Info,Microsoft-Windows-Eventlog,Security,1120,4840,DESKTOP-139UKNF,6,,The event logging service has shut down,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,0x4020000000000000,0,"{""UserData"":{""ServiceShutdown"":""""}}"
6261,6261,2025-09-11 06:07:22.1929833,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,32,DESKTOP-139UKNF,6,,A new process has been created,-\-,,"Parent process: ",PID: 0x5C,Parent PID: 0x4,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"Registry ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x5C""},{""@Name"":""NewProcessName"",""#text"":""Registry""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x4""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6262,6262,2025-09-11 06:07:22.1929940,4696,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,32,DESKTOP-139UKNF,6,,A privileged service was called,-\- (S-1-5-18),,Target: -\- (S-1-0-0),,,,,Registry (PID: 0x5C)," (PID: 0x4)",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetProcessId"",""#text"":""0x5C""},{""@Name"":""TargetProcessName"",""#text"":""Registry""},{""@Name"":""ProcessId"",""#text"":""0x4""},{""@Name"":""ProcessName""}]}}"
6263,6263,2025-09-11 06:07:22.1929973,4826,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,32,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LoadOptions"",""#text"":""-""},{""@Name"":""AdvancedOptions"",""#text"":""%%1843""},{""@Name"":""ConfigAccessPolicy"",""#text"":""%%1846""},{""@Name"":""RemoteEventLogging"",""#text"":""%%1843""},{""@Name"":""KernelDebug"",""#text"":""%%1843""},{""@Name"":""VsmLaunchType"",""#text"":""%%1848""},{""@Name"":""TestSigning"",""#text"":""%%1843""},{""@Name"":""FlightSigning"",""#text"":""%%1843""},{""@Name"":""DisableIntegrityChecks"",""#text"":""%%1843""},{""@Name"":""HypervisorLoadOptions"",""#text"":""-""},{""@Name"":""HypervisorLaunchType"",""#text"":""%%1848""},{""@Name"":""HypervisorDebug"",""#text"":""%%1843""}]}}"
6264,6264,2025-09-11 06:07:22.3331080,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,"Parent process: ",PID: 0x144,Parent PID: 0x4,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\smss.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x144""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x4""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6265,6265,2025-09-11 06:07:25.9073646,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,340,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x164,Parent PID: 0x144,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\autochk.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x164""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\autochk.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x144""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6266,6266,2025-09-11 06:07:26.5481885,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x19C,Parent PID: 0x144,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\smss.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x19C""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x144""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6267,6267,2025-09-11 06:07:26.6879640,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x1A8,Parent PID: 0x19C,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\csrss.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x1A8""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\csrss.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x19C""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6268,6268,2025-09-11 06:07:27.2735207,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x1E8,Parent PID: 0x144,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\smss.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x1E8""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x144""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6269,6269,2025-09-11 06:07:27.2948949,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x1F0,Parent PID: 0x19C,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\wininit.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x1F0""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\wininit.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x19C""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6270,6270,2025-09-11 06:07:27.2981311,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x1F8,Parent PID: 0x1E8,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\csrss.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x1F8""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\csrss.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x1E8""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6271,6271,2025-09-11 06:07:27.4789290,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\smss.exe,PID: 0x24C,Parent PID: 0x1E8,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\winlogon.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x24C""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x1E8""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\smss.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6272,6272,2025-09-11 06:07:27.6183931,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\wininit.exe,PID: 0x27C,Parent PID: 0x1F0,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\services.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x27C""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x1F0""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\wininit.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6273,6273,2025-09-11 06:07:27.6551456,4688,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,6,,A new process has been created,-\-,,Parent process: C:\Windows\System32\wininit.exe,PID: 0x290,Parent PID: 0x1F0,Mandatory label: SECURITY_MANDATORY_SYSTEM_RID,Target User: -\-,,"C:\Windows\System32\lsass.exe ",False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""NewProcessId"",""#text"":""0x290""},{""@Name"":""NewProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""TokenElevationType"",""#text"":""%%1936""},{""@Name"":""ProcessId"",""#text"":""0x1F0""},{""@Name"":""CommandLine""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""TargetLogonId"",""#text"":""0x0""},{""@Name"":""ParentProcessName"",""#text"":""C:\\Windows\\System32\\wininit.exe""},{""@Name"":""MandatoryLabel"",""#text"":""S-1-16-16384""}]}}"
6274,6274,2025-09-11 06:07:27.8198914,4608,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,660,DESKTOP-139UKNF,6,,Windows is starting up,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":""""}"
6275,6275,2025-09-11 06:07:27.8351511,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,660,DESKTOP-139UKNF,6,,Successful logon,-\-,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 0,LogonId: 0x3E7,AuthenticationPackageName: -,LogonProcessName: -,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-0-0""},{""@Name"":""SubjectUserName"",""#text"":""-""},{""@Name"":""SubjectDomainName"",""#text"":""-""},{""@Name"":""SubjectLogonId"",""#text"":""0x0""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""0""},{""@Name"":""LogonProcessName"",""#text"":""-""},{""@Name"":""AuthenticationPackageName"",""#text"":""-""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x4""},{""@Name"":""ProcessName""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""-""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6276,6276,2025-09-11 06:07:28.3694329,4902,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,708,DESKTOP-139UKNF,6,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""PuaCount"",""#text"":""0""},{""@Name"":""PuaPolicyId"",""#text"":""0x6B75""}]}}"
6277,6277,2025-09-11 06:07:28.4419280,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6278,6278,2025-09-11 06:07:28.4419383,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6279,6279,2025-09-11 06:07:28.4614172,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,-:-,Target: Font Driver Host\UMFD-0,TargetServerName: localhost,PID: 0x1F0,TargetInfo: localhost,,,C:\Windows\System32\wininit.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""UMFD-0""},{""@Name"":""TargetDomainName"",""#text"":""Font Driver Host""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x1F0""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\wininit.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""}]}}"
6280,6280,2025-09-11 06:07:28.4614421,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: Font Driver Host\UMFD-0,LogonType 2,LogonId: 0x6DC0,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\wininit.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-96-0-0""},{""@Name"":""TargetUserName"",""#text"":""UMFD-0""},{""@Name"":""TargetDomainName"",""#text"":""Font Driver Host""},{""@Name"":""TargetLogonId"",""#text"":""0x6DC0""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x1F0""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\wininit.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1842""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6281,6281,2025-09-11 06:07:28.4635029,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,6,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,-:-,Target: Font Driver Host\UMFD-1,TargetServerName: localhost,PID: 0x24C,TargetInfo: localhost,,,C:\Windows\System32\winlogon.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""UMFD-1""},{""@Name"":""TargetDomainName"",""#text"":""Font Driver Host""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x24C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""}]}}"
6282,6282,2025-09-11 06:07:28.4635192,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: Font Driver Host\UMFD-1,LogonType 2,LogonId: 0x6E5A,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\winlogon.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-96-0-1""},{""@Name"":""TargetUserName"",""#text"":""UMFD-1""},{""@Name"":""TargetDomainName"",""#text"":""Font Driver Host""},{""@Name"":""TargetLogonId"",""#text"":""0x6E5A""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x24C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1842""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6283,6283,2025-09-11 06:07:28.7925565,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\NETWORK SERVICE,LogonType 5,LogonId: 0x3E4,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-20""},{""@Name"":""TargetUserName"",""#text"":""NETWORK SERVICE""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E4""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6284,6284,2025-09-11 06:07:28.7925634,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\NETWORK SERVICE (S-1-5-20),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege",LogonId: 0x3E4,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-20""},{""@Name"":""SubjectUserName"",""#text"":""NETWORK SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E4""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege""}]}}"
6285,6285,2025-09-11 06:07:28.9064635,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6286,6286,2025-09-11 06:07:28.9064734,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6287,6287,2025-09-11 06:07:29.1460308,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,-:-,Target: Window Manager\DWM-1,TargetServerName: localhost,PID: 0x24C,TargetInfo: localhost,,,C:\Windows\System32\winlogon.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""DWM-1""},{""@Name"":""TargetDomainName"",""#text"":""Window Manager""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x24C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""}]}}"
6288,6288,2025-09-11 06:07:29.1460582,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: Window Manager\DWM-1,LogonType 2,LogonId: 0xBD94,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\winlogon.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-90-0-1""},{""@Name"":""TargetUserName"",""#text"":""DWM-1""},{""@Name"":""TargetDomainName"",""#text"":""Window Manager""},{""@Name"":""TargetLogonId"",""#text"":""0xBD94""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x24C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1842""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0xBDBF""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6289,6289,2025-09-11 06:07:29.1460735,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: Window Manager\DWM-1,LogonType 2,LogonId: 0xBDBF,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\winlogon.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-90-0-1""},{""@Name"":""TargetUserName"",""#text"":""DWM-1""},{""@Name"":""TargetDomainName"",""#text"":""Window Manager""},{""@Name"":""TargetLogonId"",""#text"":""0xBDBF""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x24C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\winlogon.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1842""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0xBD94""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
6290,6290,2025-09-11 06:07:29.1460787,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Administrative logon,Window Manager\DWM-1 (S-1-5-90-0-1),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege",LogonId: 0xBD94,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-90-0-1""},{""@Name"":""SubjectUserName"",""#text"":""DWM-1""},{""@Name"":""SubjectDomainName"",""#text"":""Window Manager""},{""@Name"":""SubjectLogonId"",""#text"":""0xBD94""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege""}]}}"
6291,6291,2025-09-11 06:07:29.1460804,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Administrative logon,Window Manager\DWM-1 (S-1-5-90-0-1),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeAuditPrivilege",LogonId: 0xBDBF,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-90-0-1""},{""@Name"":""SubjectUserName"",""#text"":""DWM-1""},{""@Name"":""SubjectDomainName"",""#text"":""Window Manager""},{""@Name"":""SubjectLogonId"",""#text"":""0xBDBF""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeAuditPrivilege""}]}}"
6292,6292,2025-09-11 06:07:29.4060439,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6293,6293,2025-09-11 06:07:29.4060511,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,6,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6294,6294,2025-09-11 06:07:29.4092020,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\LOCAL SERVICE,LogonType 5,LogonId: 0x3E5,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-19""},{""@Name"":""TargetUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E5""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6295,6295,2025-09-11 06:07:29.4092080,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\LOCAL SERVICE (S-1-5-19),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege",LogonId: 0x3E5,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeImpersonatePrivilege""}]}}"
6296,6296,2025-09-11 06:07:29.4830793,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6297,6297,2025-09-11 06:07:29.4830864,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6298,6298,2025-09-11 06:07:30.0469163,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6299,6299,2025-09-11 06:07:30.0469260,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6300,6300,2025-09-11 06:07:30.2115530,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6301,6301,2025-09-11 06:07:30.2115595,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6302,6302,2025-09-11 06:07:30.5226175,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6303,6303,2025-09-11 06:07:30.5226256,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6304,6304,2025-09-11 06:07:30.6737301,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6305,6305,2025-09-11 06:07:30.6737382,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6306,6306,2025-09-11 06:07:30.6993009,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6307,6307,2025-09-11 06:07:30.6993081,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6308,6308,2025-09-11 06:07:31.1537185,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6309,6309,2025-09-11 06:07:31.1537265,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6310,6310,2025-09-11 06:07:31.1820102,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6311,6311,2025-09-11 06:07:31.1820171,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6312,6312,2025-09-11 06:07:31.4764961,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6313,6313,2025-09-11 06:07:31.4765042,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6314,6314,2025-09-11 06:07:31.7917213,5033,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,100,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":""""}"
6315,6315,2025-09-11 06:07:32.6736413,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6316,6316,2025-09-11 06:07:32.6736476,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6317,6317,2025-09-11 06:07:32.7105728,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6318,6318,2025-09-11 06:07:32.7105788,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6319,6319,2025-09-11 06:07:32.7443511,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6320,6320,2025-09-11 06:07:32.7443568,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6321,6321,2025-09-11 06:07:32.7705042,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6322,6322,2025-09-11 06:07:32.7705126,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6323,6323,2025-09-11 06:07:32.8296755,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6324,6324,2025-09-11 06:07:32.8296809,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6325,6325,2025-09-11 06:07:32.8365654,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6326,6326,2025-09-11 06:07:32.8365709,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6327,6327,2025-09-11 06:07:32.8416504,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6328,6328,2025-09-11 06:07:32.8416556,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6329,6329,2025-09-11 06:07:32.9363296,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-20),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E4,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x9FC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-20""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E4""},{""@Name"":""CallerProcessId"",""#text"":""0x9FC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
6330,6330,2025-09-11 06:07:33.1066841,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6331,6331,2025-09-11 06:07:33.1066906,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6332,6332,2025-09-11 06:07:35.5229116,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6333,6333,2025-09-11 06:07:35.5229178,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6334,6334,2025-09-11 06:07:37.3713207,5024,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":""""}"
6335,6335,2025-09-11 06:07:37.6975293,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6336,6336,2025-09-11 06:07:37.6975403,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6337,6337,2025-09-11 06:07:37.7630181,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6338,6338,2025-09-11 06:07:37.7630269,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6339,6339,2025-09-11 06:07:38.3786740,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,7,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\SearchIndexer.exe,CallerProcessId: 0xCB0,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xCB0""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\SearchIndexer.exe""}]}}"
6340,6340,2025-09-11 06:07:47.7314709,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
6341,6341,2025-09-11 06:07:47.7314844,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
6342,6342,2025-09-11 06:07:47.8624708,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=02cyvnhghhsuvcua;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=02cyvnhghhsuvcua;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6343,6343,2025-09-11 06:07:47.8629036,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=02cyvnhghhsuvcua;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=02cyvnhghhsuvcua;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6344,6344,2025-09-11 06:07:47.8629828,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,DESKTOP-139UKNF$,,SID: S-1-5-18,Domain: WORKGROUP,LogonID: 0x3E7,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:target=virtualapp/didlogical,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetName"",""#text"":""WindowsLive:target=virtualapp/didlogical""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6345,6345,2025-09-11 06:07:47.8733898,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=02kctuyblsuasnxe;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=02kctuyblsuasnxe;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6346,6346,2025-09-11 06:07:47.8737548,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=02kctuyblsuasnxe;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=02kctuyblsuasnxe;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6347,6347,2025-09-11 06:07:47.8738322,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:target=virtualapp/didlogical,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""WindowsLive:target=virtualapp/didlogical""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6348,6348,2025-09-11 06:07:47.8758827,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=02kctuyblsuasnxe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02kctuyblsuasnxe""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6349,6349,2025-09-11 06:07:47.8759558,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=02kctuyblsuasnxe;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=02kctuyblsuasnxe;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6350,6350,2025-09-11 06:07:47.8762072,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=02kctuyblsuasnxe;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=02kctuyblsuasnxe;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6351,6351,2025-09-11 06:07:48.5204652,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=02kctuyblsuasnxe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02kctuyblsuasnxe""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6352,6352,2025-09-11 06:07:48.5351526,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=02kctuyblsuasnxe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02kctuyblsuasnxe""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6353,6353,2025-09-11 06:07:48.5398925,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=02kctuyblsuasnxe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02kctuyblsuasnxe""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6354,6354,2025-09-11 06:07:48.5399573,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,7,,Credential Manager credentials were read,LOCAL SERVICE,,SID: S-1-5-19,Domain: NT AUTHORITY,LogonID: 0x3E5,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=02kctuyblsuasnxe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=02kctuyblsuasnxe""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
6355,6355,2025-09-11 06:07:59.0375683,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\_0000000000000000.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6356,6356,2025-09-11 06:07:59.0392372,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6357,6357,2025-09-11 06:07:59.0412023,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6358,6358,2025-09-11 06:07:59.0446778,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_system32_21f9a9c4a2f8b514.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6359,6359,2025-09-11 06:07:59.0474659,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_system32_wbem_06656d9fdf2f8577.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6360,6360,2025-09-11 06:07:59.0501617,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_migration_wtr_ee7f023c51db84c1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6361,6361,2025-09-11 06:07:59.0546211,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6362,6362,2025-09-11 06:07:59.0567758,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6363,6363,2025-09-11 06:07:59.0587458,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6364,6364,2025-09-11 06:07:59.0624877,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6365,6365,2025-09-11 06:07:59.0656714,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x20D0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6366,6366,2025-09-11 06:07:59.0688160,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6367,6367,2025-09-11 06:07:59.0711021,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,7,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6368,6368,2025-09-11 06:07:59.0731936,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_mui_0409_abaaca3ee992e537.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6369,6369,2025-09-11 06:07:59.0751939,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_config_a8a4d687ea5b766f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6370,6370,2025-09-11 06:07:59.0766888,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework64_v4.0.30319_1033_6479bf15e2148b3a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6371,6371,2025-09-11 06:07:59.0784309,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_83386eac0379231b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6372,6372,2025-09-11 06:07:59.0816371,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6373,6373,2025-09-11 06:07:59.0840461,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6374,6374,2025-09-11 06:07:59.0857244,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6375,6375,2025-09-11 06:07:59.0888505,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6376,6376,2025-09-11 06:07:59.0909479,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6377,6377,2025-09-11 06:07:59.0933493,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_mui_0409_1405c8a02d1f7079.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6378,6378,2025-09-11 06:07:59.0964234,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_config_632772819e294ecb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6379,6379,2025-09-11 06:07:59.0990716,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_framework_v4.0.30319_1033_46978eadd75062e8.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6380,6380,2025-09-11 06:07:59.1008570,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_xsdbuildtask_v4.0_4.0.0.0_31bf3856ad364e35_94cd14ccee5b1bc4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6381,6381,2025-09-11 06:07:59.1030432,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_xamlbuildtask_v4.0_4.0.0.0_31bf3856ad364e35_3bf92e3dc98fdab9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x20D0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6382,6382,2025-09-11 06:07:59.1048286,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_wsatconfig_v4.0_4.0.0.0_b03f5f7f11d50a3a_f6604017f8ac15e5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6383,6383,2025-09-11 06:07:59.1065760,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_windowsformsintegration_v4.0_4.0.0.0_31bf3856ad364e35_fa1114fb4b113c6a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6384,6384,2025-09-11 06:07:59.1130049,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_windowsbase_v4.0_4.0.0.0_31bf3856ad364e35_5764ca98829cd598.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6385,6385,2025-09-11 06:07:59.1148303,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_uiautomationtypes_v4.0_4.0.0.0_31bf3856ad364e35_1f12bec8f88f4450.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6386,6386,2025-09-11 06:07:59.1166687,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_uiautomationprovider_v4.0_4.0.0.0_31bf3856ad364e35_6bb637099f04ee2c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6387,6387,2025-09-11 06:07:59.1184801,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_uiautomationclientsideproviders_v4.0_4.0.0.0_31bf3856ad364e35_6944991d7b306f0d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6388,6388,2025-09-11 06:07:59.1204400,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_uiautomationclient_v4.0_4.0.0.0_31bf3856ad364e35_35816ba0d06901c4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6389,6389,2025-09-11 06:07:59.1221031,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.xpath.xdocument_v4.0_4.0.0.0_b03f5f7f11d50a3a_13d787dd4a94fa8c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6390,6390,2025-09-11 06:07:59.1242698,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.xpath_v4.0_4.0.0.0_b03f5f7f11d50a3a_d898708704b8d551.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6391,6391,2025-09-11 06:07:59.1264769,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.xmlserializer_v4.0_4.0.0.0_b03f5f7f11d50a3a_6c9d606b007d1557.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1354""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6392,6392,2025-09-11 06:07:59.1329866,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.xmldocument_v4.0_4.0.0.0_b03f5f7f11d50a3a_fd81ff658246d020.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6393,6393,2025-09-11 06:07:59.1351484,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.xdocument_v4.0_4.0.0.0_b03f5f7f11d50a3a_852aa6f49c129e37.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6394,6394,2025-09-11 06:07:59.1378233,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.serialization_v4.0_4.0.0.0_b77a5c561934e089_6ff3201afb2eac30.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6395,6395,2025-09-11 06:07:59.1394256,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.readerwriter_v4.0_4.0.0.0_b03f5f7f11d50a3a_7d231cce8a4b3404.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6396,6396,2025-09-11 06:07:59.1411087,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml.linq_v4.0_4.0.0.0_b77a5c561934e089_4c2a3a0252ed4dee.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6397,6397,2025-09-11 06:07:59.1431237,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xml_v4.0_4.0.0.0_b77a5c561934e089_ec23d9a7ad53e8b2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2BF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6398,6398,2025-09-11 06:07:59.1452516,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xaml.hosting_v4.0_4.0.0.0_31bf3856ad364e35_d61c2393b2c1b543.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6399,6399,2025-09-11 06:07:59.1466845,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.xaml_v4.0_4.0.0.0_b77a5c561934e089_6747aba031bff5b1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6400,6400,2025-09-11 06:07:59.1513988,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.workflowservices_v4.0_4.0.0.0_31bf3856ad364e35_b1b82c2b9b3832b2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6401,6401,2025-09-11 06:07:59.1534481,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.workflow.runtime_v4.0_4.0.0.0_31bf3856ad364e35_31ba0371c5f86fe4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6402,6402,2025-09-11 06:07:59.1553051,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.workflow.componentmodel_v4.0_4.0.0.0_31bf3856ad364e35_b50e5ded6b8f42b2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6403,6403,2025-09-11 06:07:59.1570363,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.workflow.activities_v4.0_4.0.0.0_31bf3856ad364e35_2480ec08ec0a29b7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6404,6404,2025-09-11 06:07:59.1588336,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.presentation_v4.0_4.0.0.0_b77a5c561934e089_24c96e17021b8ee0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6405,6405,2025-09-11 06:07:59.1613623,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.input.manipulations_v4.0_4.0.0.0_b77a5c561934e089_e371b07d4f39e0ea.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6406,6406,2025-09-11 06:07:59.1633514,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.forms.datavisualization.design_v4.0_4.0.0.0_31bf38_ccf1b814b89f1ccf.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6407,6407,2025-09-11 06:07:59.1653293,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.forms.datavisualization_v4.0_4.0.0.0_31bf3856ad364_0478e70360a4d545.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6408,6408,2025-09-11 06:07:59.1676417,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.forms_v4.0_4.0.0.0_b77a5c561934e089_7780f78ea9286b2d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6409,6409,2025-09-11 06:07:59.1695890,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows.controls.ribbon_v4.0_4.0.0.0_b77a5c561934e089_f0c023acb7bafe74.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6410,6410,2025-09-11 06:07:59.1714133,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.windows_v4.0_4.0.0.0_b03f5f7f11d50a3a_14e21d90818adac4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6411,6411,2025-09-11 06:07:59.1735728,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.services_v4.0_4.0.0.0_b03f5f7f11d50a3a_129c9594715c46ed.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6412,6412,2025-09-11 06:07:59.1762613,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.routing_v4.0_4.0.0.0_31bf3856ad364e35_a9c0feed2f70623f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6413,6413,2025-09-11 06:07:59.1782436,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.regularexpressions_v4.0_4.0.0.0_b03f5f7f11d50a3a_53634247b6bcd312.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6414,6414,2025-09-11 06:07:59.1808889,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.mobile_v4.0_4.0.0.0_b03f5f7f11d50a3a_c13c4bce51b9229b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6415,6415,2025-09-11 06:07:59.1826763,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.extensions.design_v4.0_4.0.0.0_31bf3856ad364e35_84d31779a00d6757.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6416,6416,2025-09-11 06:07:59.1843853,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.extensions_v4.0_4.0.0.0_31bf3856ad364e35_472dc08bcbe9e0cb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6417,6417,2025-09-11 06:07:59.1863900,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.entity.design_v4.0_4.0.0.0_b77a5c561934e089_ddb8bdb1540c8c0e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6418,6418,2025-09-11 06:07:59.1912132,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.entity_v4.0_4.0.0.0_b77a5c561934e089_36e19d87de8fc026.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6419,6419,2025-09-11 06:07:59.1933376,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.dynamicdata.design_v4.0_4.0.0.0_31bf3856ad364e35_782f5e07917b64a2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6420,6420,2025-09-11 06:07:59.1968981,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.dynamicdata_v4.0_4.0.0.0_31bf3856ad364e35_9c052c8c6b7010aa.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6421,6421,2025-09-11 06:07:59.1988093,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.datavisualization.design_v4.0_4.0.0.0_31bf3856ad364e35_0b3f855140f57a09.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6422,6422,2025-09-11 06:07:59.2021957,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.datavisualization_v4.0_4.0.0.0_31bf3856ad364e35_a3af913e1ef9fbaf.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6423,6423,2025-09-11 06:07:59.2040158,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.applicationservices_v4.0_4.0.0.0_31bf3856ad364e35_68ccda43ca2f1ddf.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6424,6424,2025-09-11 06:07:59.2078220,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.web.abstractions_v4.0_4.0.0.0_31bf3856ad364e35_b01c24337522e27e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6425,6425,2025-09-11 06:07:59.2101546,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.valuetuple_v4.0_4.0.0.0_cc7b13ffcd2ddd51_8fa48bfd594c23e9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6426,6426,2025-09-11 06:07:59.2129135,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.timer_v4.0_4.0.0.0_b03f5f7f11d50a3a_81fa31df76585be2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6427,6427,2025-09-11 06:07:59.2157811,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,8,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.threadpool_v4.0_4.0.0.0_b03f5f7f11d50a3a_0ae8b0d76f00efe1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6428,6428,2025-09-11 06:07:59.2176843,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.thread_v4.0_4.0.0.0_b03f5f7f11d50a3a_3320686143541f5b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6429,6429,2025-09-11 06:07:59.2195466,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.tasks.parallel_v4.0_4.0.0.0_b03f5f7f11d50a3a_2136e1926c6ca84e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6430,6430,2025-09-11 06:07:59.2220660,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.tasks_v4.0_4.0.0.0_b03f5f7f11d50a3a_77bc4c7e2af8a043.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2844""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6431,6431,2025-09-11 06:07:59.2251170,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading.overlapped_v4.0_4.0.0.0_b03f5f7f11d50a3a_42b149aef04c9151.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6432,6432,2025-09-11 06:07:59.2274100,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.threading_v4.0_4.0.0.0_b03f5f7f11d50a3a_b96d2970af2ad0cd.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6433,6433,2025-09-11 06:07:59.2293283,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.text.regularexpressions_v4.0_4.0.0.0_b03f5f7f11d50a3a_bff18186e48a129f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6434,6434,2025-09-11 06:07:59.2315536,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.text.encoding.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_e148ca40724338a3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6435,6435,2025-09-11 06:07:59.2339282,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.text.encoding_v4.0_4.0.0.0_b03f5f7f11d50a3a_14311520155698ed.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6436,6436,2025-09-11 06:07:59.2359425,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.speech_v4.0_4.0.0.0_31bf3856ad364e35_cc6ea888502ba313.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6437,6437,2025-09-11 06:07:59.2375254,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.serviceprocess_v4.0_4.0.0.0_b03f5f7f11d50a3a_c78c7a056bc3d529.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6438,6438,2025-09-11 06:07:59.2392178,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.web_v4.0_4.0.0.0_31bf3856ad364e35_9664587824984869.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6439,6439,2025-09-11 06:07:59.2424008,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.washosting_v4.0_4.0.0.0_b77a5c561934e089_fcc9ffe6a33d9e56.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6440,6440,2025-09-11 06:07:59.2442545,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.servicemoniker40_v4.0_4.0.0.0_b77a5c561934e08_19cca736786d5a4b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6441,6441,2025-09-11 06:07:59.2460507,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.security_v4.0_4.0.0.0_b03f5f7f11d50a3a_87c6b94f09083599.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6442,6442,2025-09-11 06:07:59.2501184,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.routing_v4.0_4.0.0.0_31bf3856ad364e35_cb547f0dc1ee8381.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6443,6443,2025-09-11 06:07:59.2534878,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_7321bf95179694f1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6444,6444,2025-09-11 06:07:59.2550233,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.nettcp_v4.0_4.0.0.0_b03f5f7f11d50a3a_616459d0deb47f9b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6445,6445,2025-09-11 06:07:59.2576556,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.internals_v4.0_4.0.0.0_31bf3856ad364e35_648841c36e579803.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2EB0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6446,6446,2025-09-11 06:07:59.2596252,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.http_v4.0_4.0.0.0_b03f5f7f11d50a3a_98d95e738003f3ff.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6447,6447,2025-09-11 06:07:59.2613696,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.duplex_v4.0_4.0.0.0_b03f5f7f11d50a3a_b8ea3ce39a330763.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6448,6448,2025-09-11 06:07:59.2633941,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.discovery_v4.0_4.0.0.0_31bf3856ad364e35_77886dd12f6a8907.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2EB0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6449,6449,2025-09-11 06:07:59.2656099,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.channels_v4.0_4.0.0.0_31bf3856ad364e35_3b879384d8488ea3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6450,6450,2025-09-11 06:07:59.2695122,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.activities_v4.0_4.0.0.0_31bf3856ad364e35_6a8dabdd0e877c8e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6451,6451,2025-09-11 06:07:59.2729545,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel.activation_v4.0_4.0.0.0_31bf3856ad364e35_71a2cbe542e93be3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6452,6452,2025-09-11 06:07:59.2744989,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.servicemodel_v4.0_4.0.0.0_b77a5c561934e089_b63f15dceb7fa3d7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6453,6453,2025-09-11 06:07:59.2765800,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.securestring_v4.0_4.0.0.0_b03f5f7f11d50a3a_f3bb7544901adce5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x14B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6454,6454,2025-09-11 06:07:59.2796150,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.principal_v4.0_4.0.0.0_b03f5f7f11d50a3a_2b42bebbc118dabd.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6455,6455,2025-09-11 06:07:59.2817616,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.cryptography.x509certificates_v4.0_4.0.0.0_b03f5f_aab0b3bfbb4794e3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6456,6456,2025-09-11 06:07:59.2874624,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.cryptography.primitives_v4.0_4.0.0.0_b03f5f7f11d5_da9c0955dcf09817.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6457,6457,2025-09-11 06:07:59.2913500,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.cryptography.encoding_v4.0_4.0.0.0_b03f5f7f11d50a_9c4eee2a550e8ab2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6458,6458,2025-09-11 06:07:59.2942838,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.cryptography.csp_v4.0_4.0.0.0_b03f5f7f11d50a3a_74664b768bc9020b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6459,6459,2025-09-11 06:07:59.2964618,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.cryptography.algorithms_v4.0_4.0.0.0_b03f5f7f11d5_e281a7af6a070f4d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6460,6460,2025-09-11 06:07:59.2985382,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security.claims_v4.0_4.0.0.0_b03f5f7f11d50a3a_565b7b0199289df6.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6461,6461,2025-09-11 06:07:59.3016281,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.security_v4.0_4.0.0.0_b03f5f7f11d50a3a_b1f6c453104409f9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6462,6462,2025-09-11 06:07:59.3033786,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.windowsruntime.ui.xaml_v4.0_4.0.0.0_b77a5c561934e0_8b59300a16e9a6ee.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6463,6463,2025-09-11 06:07:59.3053795,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.windowsruntime_v4.0_4.0.0.0_b77a5c561934e089_15eddf62f197689e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6464,6464,2025-09-11 06:07:59.3077926,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization.xml_v4.0_4.0.0.0_b03f5f7f11d50a3a_5b6a09c3a84a4334.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6465,6465,2025-09-11 06:07:59.3097873,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization.primitives_v4.0_4.0.0.0_b03f5f7f11d5_2c05338f304b0473.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6466,6466,2025-09-11 06:07:59.3122348,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization.json_v4.0_4.0.0.0_b03f5f7f11d50a3a_0e76552fc2759c9f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6467,6467,2025-09-11 06:07:59.3150716,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization.formatters.soap_v4.0_4.0.0.0_b03f5f7_5dc724dce5f4edc7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6468,6468,2025-09-11 06:07:59.3174471,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization.formatters_v4.0_4.0.0.0_b03f5f7f11d5_6bbae503daa16ff0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6469,6469,2025-09-11 06:07:59.3197478,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.serialization_v4.0_4.0.0.0_b77a5c561934e089_f6fb5cdd6113e4c9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2EB0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6470,6470,2025-09-11 06:07:59.3217685,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.remoting_v4.0_4.0.0.0_b77a5c561934e089_7bd45a1c7774a4dc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6471,6471,2025-09-11 06:07:59.3236742,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.numerics_v4.0_4.0.0.0_b03f5f7f11d50a3a_05b09a68e10f28e5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6472,6472,2025-09-11 06:07:59.3256869,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.interopservices.windowsruntime_v4.0_4.0.0.0_b03f5f_322d5d5eee4a6827.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2EB0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6473,6473,2025-09-11 06:07:59.3350549,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.interopservices.runtimeinformation_v4.0_4.0.0.0_b0_5c722dd52c1a1fac.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6474,6474,2025-09-11 06:07:59.3376323,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.interopservices_v4.0_4.0.0.0_b03f5f7f11d50a3a_497abfe5566f838c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6475,6475,2025-09-11 06:07:59.3396783,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.handles_v4.0_4.0.0.0_b03f5f7f11d50a3a_bcf89499b0a177bc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6476,6476,2025-09-11 06:07:59.3414905,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_a687a798d3b12f8b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6477,6477,2025-09-11 06:07:59.3430427,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.durableinstancing_v4.0_4.0.0.0_31bf3856ad364e35_1f5c3f88d6022b32.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6478,6478,2025-09-11 06:07:59.3451719,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.compilerservices.visualc_v4.0_4.0.0.0_b03f5f7f11d5_aeb7964ad7309017.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6479,6479,2025-09-11 06:07:59.3473771,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime.caching_v4.0_4.0.0.0_b03f5f7f11d50a3a_d3d490bba915725e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6480,6480,2025-09-11 06:07:59.3496341,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.runtime_v4.0_4.0.0.0_b03f5f7f11d50a3a_3615f4311406e4a9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6481,6481,2025-09-11 06:07:59.3521072,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.resources.writer_v4.0_4.0.0.0_b03f5f7f11d50a3a_5c35b3ced3060947.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x12B8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6482,6482,2025-09-11 06:07:59.3549519,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.resources.resourcemanager_v4.0_4.0.0.0_b03f5f7f11d50a3a_0f74f517e4f0914d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6483,6483,2025-09-11 06:07:59.3576092,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.resources.reader_v4.0_4.0.0.0_b03f5f7f11d50a3a_c0215cf5b010ca65.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6484,6484,2025-09-11 06:07:59.3611378,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_429da5d72990193e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6485,6485,2025-09-11 06:07:59.3641085,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_19870563673ce662.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6486,6486,2025-09-11 06:07:59.3659968,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,9,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.emit.lightweight_v4.0_4.0.0.0_b03f5f7f11d50a3a_57c4995f304c07bf.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6487,6487,2025-09-11 06:07:59.3678169,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.emit.ilgeneration_v4.0_4.0.0.0_b03f5f7f11d50a3a_d1adae4ef740d934.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6488,6488,2025-09-11 06:07:59.3701660,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,1048,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.emit_v4.0_4.0.0.0_b03f5f7f11d50a3a_4faa475b150a4889.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6489,6489,2025-09-11 06:07:59.3727565,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection.context_v4.0_4.0.0.0_b77a5c561934e089_48cf05ed63767bbb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6490,6490,2025-09-11 06:07:59.3769913,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.reflection_v4.0_4.0.0.0_b03f5f7f11d50a3a_d4eaf4af957d3eb4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6491,6491,2025-09-11 06:07:59.3788034,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.objectmodel_v4.0_4.0.0.0_b03f5f7f11d50a3a_023bf6fb5da4a401.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6492,6492,2025-09-11 06:07:59.3809984,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.numerics.vectors_v4.0_4.0.0.0_b03f5f7f11d50a3a_834ecbb412cbe1c3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6493,6493,2025-09-11 06:07:59.3826685,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.numerics_v4.0_4.0.0.0_b77a5c561934e089_fd7e5d34af895de7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6494,6494,2025-09-11 06:07:59.3845844,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.websockets.client_v4.0_4.0.0.0_b03f5f7f11d50a3a_23cdb2b75bf61a59.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6495,6495,2025-09-11 06:07:59.3862374,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.websockets_v4.0_4.0.0.0_b03f5f7f11d50a3a_e947d386630ae02c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x44C0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6496,6496,2025-09-11 06:07:59.3880996,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.webheadercollection_v4.0_4.0.0.0_b03f5f7f11d50a3a_066077adb8da6f95.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x3FF0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6497,6497,2025-09-11 06:07:59.3935085,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.sockets_v4.0_4.0.0.0_b03f5f7f11d50a3a_70ade0f909b4adce.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2844""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6498,6498,2025-09-11 06:07:59.3962678,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.security_v4.0_4.0.0.0_b03f5f7f11d50a3a_2461e3a5d3977acc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6499,6499,2025-09-11 06:07:59.3981137,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.requests_v4.0_4.0.0.0_b03f5f7f11d50a3a_3de7bf9034fe1546.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6500,6500,2025-09-11 06:07:59.4010158,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_5cb4d1d37e9775a8.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6501,6501,2025-09-11 06:07:59.4032279,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.ping_v4.0_4.0.0.0_b03f5f7f11d50a3a_c2ece8ee3fb88438.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6502,6502,2025-09-11 06:07:59.4054028,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.networkinformation_v4.0_4.0.0.0_b03f5f7f11d50a3a_b6f74fb78a2d939c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6503,6503,2025-09-11 06:07:59.4084358,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.nameresolution_v4.0_4.0.0.0_b03f5f7f11d50a3a_363020fbb28ad5c9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6504,6504,2025-09-11 06:07:59.4115329,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.http.webrequest_v4.0_4.0.0.0_b03f5f7f11d50a3a_efaa255295e3a257.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x10D8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6505,6505,2025-09-11 06:07:59.4135348,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.http.rtc_v4.0_4.0.0.0_b03f5f7f11d50a3a_ca883f654ecfc731.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6506,6506,2025-09-11 06:07:59.4152115,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net.http_v4.0_4.0.0.0_b03f5f7f11d50a3a_c02456e4349fe25c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6507,6507,2025-09-11 06:07:59.4177662,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.net_v4.0_4.0.0.0_b03f5f7f11d50a3a_3167549e3b04aa4e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x10D8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6508,6508,2025-09-11 06:07:59.4192881,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.messaging_v4.0_4.0.0.0_b03f5f7f11d50a3a_8e94df7d470edf3f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6509,6509,2025-09-11 06:07:59.4210873,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.management.instrumentation_v4.0_4.0.0.0_b77a5c561934e089_03e7bf709840d71a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6510,6510,2025-09-11 06:07:59.4226832,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.management_v4.0_4.0.0.0_b03f5f7f11d50a3a_0458f8d2dd88c1aa.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x10D8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6511,6511,2025-09-11 06:07:59.4255624,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.linq.queryable_v4.0_4.0.0.0_b03f5f7f11d50a3a_721e19919f256243.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6512,6512,2025-09-11 06:07:59.4274411,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.linq.parallel_v4.0_4.0.0.0_b03f5f7f11d50a3a_351eac8c515cafc0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6513,6513,2025-09-11 06:07:59.4300812,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.linq.expressions_v4.0_4.0.0.0_b03f5f7f11d50a3a_517bf759d11fc392.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x10D8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6514,6514,2025-09-11 06:07:59.4332987,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.linq_v4.0_4.0.0.0_b03f5f7f11d50a3a_c97f709a752f7845.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x21BC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6515,6515,2025-09-11 06:07:59.4362281,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.unmanagedmemorystream_v4.0_4.0.0.0_b03f5f7f11d50a3a_e46b1c72dc244dfa.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6516,6516,2025-09-11 06:07:59.4425156,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.pipes_v4.0_4.0.0.0_b03f5f7f11d50a3a_988718e07d8140e8.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x15B0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6517,6517,2025-09-11 06:07:59.4458406,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.memorymappedfiles_v4.0_4.0.0.0_b03f5f7f11d50a3a_a8ec882311a1cea6.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x10D8""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6518,6518,2025-09-11 06:07:59.4487122,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.log_v4.0_4.0.0.0_b03f5f7f11d50a3a_19681918fe50674f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x15B0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6519,6519,2025-09-11 06:07:59.4532512,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.isolatedstorage_v4.0_4.0.0.0_b03f5f7f11d50a3a_01ffbc01241646ab.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6520,6520,2025-09-11 06:07:59.4565865,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.filesystem.watcher_v4.0_4.0.0.0_b03f5f7f11d50a3a_a1ac5c5d1ddba13e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6521,6521,2025-09-11 06:07:59.4585308,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.filesystem.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_8e8c57bfa8c34d06.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2CE0""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6522,6522,2025-09-11 06:07:59.4602434,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.filesystem.driveinfo_v4.0_4.0.0.0_b03f5f7f11d50a3a_6910dd24f31d2dbc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6523,6523,2025-09-11 06:07:59.4623901,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.filesystem_v4.0_4.0.0.0_b03f5f7f11d50a3a_d3fcca9264d008c0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6524,6524,2025-09-11 06:07:59.4659055,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.compression.zipfile_v4.0_4.0.0.0_b77a5c561934e089_6ce6c90a1703d5a0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6525,6525,2025-09-11 06:07:59.4677823,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.compression.filesystem_v4.0_4.0.0.0_b77a5c561934e089_7694ae7dcca95312.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1240""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6526,6526,2025-09-11 06:07:59.4706679,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io.compression_v4.0_4.0.0.0_b77a5c561934e089_c4b4345afacfcf69.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6527,6527,2025-09-11 06:07:59.4734405,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.io_v4.0_4.0.0.0_b03f5f7f11d50a3a_a19e3120c74ab1f1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6528,6528,2025-09-11 06:07:59.4758600,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.identitymodel.services_v4.0_4.0.0.0_b77a5c561934e089_9152e5e9cf585ca0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6529,6529,2025-09-11 06:07:59.4784088,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.identitymodel.selectors_v4.0_4.0.0.0_b77a5c561934e089_755ad778f7fba07e.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6530,6530,2025-09-11 06:07:59.4804267,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.identitymodel_v4.0_4.0.0.0_b77a5c561934e089_b5d483bcf27e78c2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6531,6531,2025-09-11 06:07:59.4821982,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.globalization.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_e25110ab95ab94aa.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6532,6532,2025-09-11 06:07:59.4839006,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.globalization.calendars_v4.0_4.0.0.0_b03f5f7f11d50a3a_4141fbdbdc0a19a3.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6533,6533,2025-09-11 06:07:59.4859918,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.globalization_v4.0_4.0.0.0_b03f5f7f11d50a3a_f1f2224d9c6b39d6.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6534,6534,2025-09-11 06:07:59.4875707,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.dynamic.runtime_v4.0_4.0.0.0_b03f5f7f11d50a3a_298f8da8b4cebb78.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6535,6535,2025-09-11 06:07:59.4916972,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.dynamic_v4.0_4.0.0.0_b03f5f7f11d50a3a_4aff6f61cd14ea4a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6536,6536,2025-09-11 06:07:59.4922669,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.drawing.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_34e7f059824400c7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6537,6537,2025-09-11 06:07:59.4941976,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.drawing.design_v4.0_4.0.0.0_b03f5f7f11d50a3a_251fc3e264cdd5af.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6538,6538,2025-09-11 06:07:59.4968684,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.drawing_v4.0_4.0.0.0_b03f5f7f11d50a3a_039c32879a6fdb19.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6539,6539,2025-09-11 06:07:59.4989552,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.directoryservices.protocols_v4.0_4.0.0.0_b03f5f7f11d50a3a_831ae34a2536005b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6540,6540,2025-09-11 06:07:59.5005528,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.directoryservices.accountmanagement_v4.0_4.0.0.0_b77a5c561_16c16f8d1da3da7a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6541,6541,2025-09-11 06:07:59.5032055,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.directoryservices_v4.0_4.0.0.0_b03f5f7f11d50a3a_8d57c15241d35cfa.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6542,6542,2025-09-11 06:07:59.5051128,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.tracing_v4.0_4.0.0.0_b03f5f7f11d50a3a_fd9c247c62a9b3a9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6543,6543,2025-09-11 06:07:59.5079713,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.tracesource_v4.0_4.0.0.0_b03f5f7f11d50a3a_0039273ce5652329.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6544,6544,2025-09-11 06:07:59.5107077,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.tools_v4.0_4.0.0.0_b03f5f7f11d50a3a_df29320a0248506a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6545,6545,2025-09-11 06:07:59.5123169,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,10,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.textwritertracelistener_v4.0_4.0.0.0_b03f5f7f1_7cb157ab10564828.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6546,6546,2025-09-11 06:07:59.5159786,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.stacktrace_v4.0_4.0.0.0_b03f5f7f11d50a3a_1c2ec60aee029688.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6547,6547,2025-09-11 06:07:59.5178545,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,1056,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.process_v4.0_4.0.0.0_b03f5f7f11d50a3a_6d5f5bbfc5119bfc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6548,6548,2025-09-11 06:07:59.5207506,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.fileversioninfo_v4.0_4.0.0.0_b03f5f7f11d50a3a_9c48a2155ec256d1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6549,6549,2025-09-11 06:07:59.5227229,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.debug_v4.0_4.0.0.0_b03f5f7f11d50a3a_2065143d497dad62.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6550,6550,2025-09-11 06:07:59.5244288,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.diagnostics.contracts_v4.0_4.0.0.0_b03f5f7f11d50a3a_e216895c5b20851a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6551,6551,2025-09-11 06:07:59.5262630,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.device_v4.0_4.0.0.0_b77a5c561934e089_89100ef055885edd.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6552,6552,2025-09-11 06:07:59.5280198,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.design_v4.0_4.0.0.0_b03f5f7f11d50a3a_337513a21f90a289.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6553,6553,2025-09-11 06:07:59.5311240,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.deployment_v4.0_4.0.0.0_b03f5f7f11d50a3a_e63bb68aefb0cd4a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6554,6554,2025-09-11 06:07:59.5365098,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.sqlxml_v4.0_4.0.0.0_b77a5c561934e089_748d37f4caf63460.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6555,6555,2025-09-11 06:07:59.5377134,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.services.design_v4.0_4.0.0.0_b77a5c561934e089_8b75b93930fcd145.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6556,6556,2025-09-11 06:07:59.5395542,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,1056,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.services.client_v4.0_4.0.0.0_b77a5c561934e089_529014593f2a99e4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6557,6557,2025-09-11 06:07:59.5413770,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.services_v4.0_4.0.0.0_b77a5c561934e089_c976ac7cb252a1b9.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6558,6558,2025-09-11 06:07:59.5439807,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.linq_v4.0_4.0.0.0_b77a5c561934e089_2fbd72589cb11e65.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6559,6559,2025-09-11 06:07:59.5465771,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.entity.design_v4.0_4.0.0.0_b77a5c561934e089_a6c35b9062a26bb2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6560,6560,2025-09-11 06:07:59.5542368,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.entity_v4.0_4.0.0.0_b77a5c561934e089_70a7c94638890ad4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6561,6561,2025-09-11 06:07:59.5573640,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.datasetextensions_v4.0_4.0.0.0_b77a5c561934e089_50c8f1f8984373f1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6562,6562,2025-09-11 06:07:59.5588650,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,1040,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.data.common_v4.0_4.0.0.0_b03f5f7f11d50a3a_68b470ad3238218c.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6563,6563,2025-09-11 06:07:59.5607154,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.core_v4.0_4.0.0.0_b77a5c561934e089_18d3047bb5729e36.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6564,6564,2025-09-11 06:07:59.5625504,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.console_v4.0_4.0.0.0_b03f5f7f11d50a3a_02bed0c04b11d5e0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6565,6565,2025-09-11 06:07:59.5642750,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.configuration.install_v4.0_4.0.0.0_b03f5f7f11d50a3a_bcd5e639a43e4f28.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6566,6566,2025-09-11 06:07:59.5660758,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.configuration_v4.0_4.0.0.0_b03f5f7f11d50a3a_d8a1d11d04cdf6db.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6567,6567,2025-09-11 06:07:59.5684276,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.typeconverter_v4.0_4.0.0.0_b03f5f7f11d50a3a_916d8c6ee9e262b1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6568,6568,2025-09-11 06:07:59.5722964,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_0de9ab75c7c45ee5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6569,6569,2025-09-11 06:07:59.5754844,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.eventbasedasync_v4.0_4.0.0.0_b03f5f7f11d50a_ddbf877e9a767602.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6570,6570,2025-09-11 06:07:59.5781997,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.dataannotations_v4.0_4.0.0.0_31bf3856ad364e_eb853a08d931bdf7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6571,6571,2025-09-11 06:07:59.5805001,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.composition.registration_v4.0_4.0.0.0_b77a5_aca3e75a5ce707f6.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6572,6572,2025-09-11 06:07:59.5820850,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.composition_v4.0_4.0.0.0_b77a5c561934e089_0d47e2bcbe9d4fb5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6573,6573,2025-09-11 06:07:59.5839218,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel.annotations_v4.0_4.0.0.0_b03f5f7f11d50a3a_05dd04e5368ae861.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6574,6574,2025-09-11 06:07:59.5865970,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.componentmodel_v4.0_4.0.0.0_b03f5f7f11d50a3a_06c29c316a7af973.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6575,6575,2025-09-11 06:07:59.5884337,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.collections.specialized_v4.0_4.0.0.0_b03f5f7f11d50a3a_dbdb0b174e5425a1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6576,6576,2025-09-11 06:07:59.5913315,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.collections.nongeneric_v4.0_4.0.0.0_b03f5f7f11d50a3a_ed5330bb54319be2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6577,6577,2025-09-11 06:07:59.5971118,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.collections.concurrent_v4.0_4.0.0.0_b03f5f7f11d50a3a_17371627aae1f3fd.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6578,6578,2025-09-11 06:07:59.5988429,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.collections_v4.0_4.0.0.0_b03f5f7f11d50a3a_8c6fbdb7de470f98.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6579,6579,2025-09-11 06:07:59.6019159,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.appcontext_v4.0_4.0.0.0_b03f5f7f11d50a3a_c28e8f31192f40df.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6580,6580,2025-09-11 06:07:59.6037704,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.addin.contract_v4.0_4.0.0.0_b03f5f7f11d50a3a_822927c500b35f03.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6581,6581,2025-09-11 06:07:59.6058221,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.addin_v4.0_4.0.0.0_b77a5c561934e089_260da6b31ccda65f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6582,6582,2025-09-11 06:07:59.6077620,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.activities.presentation_v4.0_4.0.0.0_31bf3856ad364e35_3c5a73e0ef416e18.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6583,6583,2025-09-11 06:07:59.6100899,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.activities.durableinstancing_v4.0_4.0.0.0_31bf3856ad364e35_73089aa60ba6815d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6584,6584,2025-09-11 06:07:59.6131821,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.activities.core.presentation_v4.0_4.0.0.0_31bf3856ad364e35_a80b987dc3ea7f1d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6585,6585,2025-09-11 06:07:59.6155199,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system.activities_v4.0_4.0.0.0_31bf3856ad364e35_bdef15cb807505c8.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6586,6586,2025-09-11 06:07:59.6171031,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_system_v4.0_4.0.0.0_b77a5c561934e089_4348a29e5981af79.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6587,6587,2025-09-11 06:07:59.6189894,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_sysglobl_v4.0_4.0.0.0_b03f5f7f11d50a3a_2e8b2df526c968f7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6588,6588,2025-09-11 06:07:59.6207495,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_smsvchost_v4.0_4.0.0.0_b03f5f7f11d50a3a_72b39b46874e3764.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6589,6589,2025-09-11 06:07:59.6232215,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_smdiagnostics_v4.0_4.0.0.0_b77a5c561934e089_8a46d250f4d4a9d0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6590,6590,2025-09-11 06:07:59.6250592,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_reachframework_v4.0_4.0.0.0_31bf3856ad364e35_72298e36fcd01f69.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6591,6591,2025-09-11 06:07:59.6282503,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationui_v4.0_4.0.0.0_31bf3856ad364e35_cebd22d582f67be4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6592,6592,2025-09-11 06:07:59.6328581,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.royale_v4.0_4.0.0.0_31bf3856ad364e35_e02324e9b656d3fe.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6593,6593,2025-09-11 06:07:59.6345458,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.luna_v4.0_4.0.0.0_31bf3856ad364e35_2628015eeb2d3f12.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6594,6594,2025-09-11 06:07:59.6365832,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.classic_v4.0_4.0.0.0_31bf3856ad364e35_279915a05ee2b2fe.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6595,6595,2025-09-11 06:07:59.6396413,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.aerolite_v4.0_4.0.0.0_31bf3856ad364e35_9fa48e35c1b0fd9b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6596,6596,2025-09-11 06:07:59.6425625,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.aero2_v4.0_4.0.0.0_31bf3856ad364e35_97028dc0563b28d5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6597,6597,2025-09-11 06:07:59.6445342,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework.aero_v4.0_4.0.0.0_31bf3856ad364e35_610a536f200a8d89.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6598,6598,2025-09-11 06:07:59.6463615,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework-systemxmllinq_v4.0_4.0.0.0_b77a5c561934e089_d071afabc05ed4c5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6599,6599,2025-09-11 06:07:59.6481167,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework-systemxml_v4.0_4.0.0.0_b77a5c561934e089_3358e028825a0efd.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6600,6600,2025-09-11 06:07:59.6504917,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework-systemdrawing_v4.0_4.0.0.0_b77a5c561934e089_26e3b2c291c2bea2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6601,6601,2025-09-11 06:07:59.6526358,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework-systemdata_v4.0_4.0.0.0_b77a5c561934e089_89b90455552a8828.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6602,6602,2025-09-11 06:07:59.6542236,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework-systemcore_v4.0_4.0.0.0_b77a5c561934e089_a9b1f3bd0104a2cb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6603,6603,2025-09-11 06:07:59.6567700,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationframework_v4.0_4.0.0.0_31bf3856ad364e35_b57a3b1abb4f9cb2.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6604,6604,2025-09-11 06:07:59.6595508,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,11,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_presentationbuildtasks_v4.0_4.0.0.0_31bf3856ad364e35_646554ba9fd6fde4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6605,6605,2025-09-11 06:07:59.6612823,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_netstandard_v4.0_2.0.0.0_cc7b13ffcd2ddd51_2f6736ebef44685f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6606,6606,2025-09-11 06:07:59.6630433,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.workflow.compiler_v4.0_4.0.0.0_31bf3856ad364e35_798c92f99ab21dea.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6607,6607,2025-09-11 06:07:59.6649253,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.windows.applicationserver.applications_v4.0_4.0.0.0_31b_5efc32cc4df61161.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6608,6608,2025-09-11 06:07:59.6666023,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.win32.primitives_v4.0_4.0.0.0_b03f5f7f11d50a3a_002f218fb40f3801.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6609,6609,2025-09-11 06:07:59.6706957,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.visualc.stlclr_v4.0_2.0.0.0_b03f5f7f11d50a3a_f414e1b26239f9d7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6610,6610,2025-09-11 06:07:59.6730092,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.visualc_v4.0_10.0.0.0_b03f5f7f11d50a3a_3aa3659735620b48.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6611,6611,2025-09-11 06:07:59.6768419,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.visualbasic.compatibility.data_v4.0_10.0.0.0_b03f5f7f11_b8cdee767e062055.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6612,6612,2025-09-11 06:07:59.6795448,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.visualbasic.compatibility_v4.0_10.0.0.0_b03f5f7f11d50a3_73e0af197905cc09.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6613,6613,2025-09-11 06:07:59.6811952,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.visualbasic_v4.0_10.0.0.0_b03f5f7f11d50a3a_1ed10879629b0e4f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6614,6614,2025-09-11 06:07:59.6831398,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.transactions.bridge_v4.0_4.0.0.0_b03f5f7f11d50a3a_166fa44babe668da.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6615,6615,2025-09-11 06:07:59.6855204,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.jscript_v4.0_10.0.0.0_b03f5f7f11d50a3a_2b0e6b268d3620fe.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6616,6616,2025-09-11 06:07:59.6874636,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.internal.tasks.dataflow_v4.0_4.0.0.0_b77a5c561934e089_9a99fcaf6bbde939.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6617,6617,2025-09-11 06:07:59.6921620,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.csharp_v4.0_4.0.0.0_b03f5f7f11d50a3a_c9e0673e8f2d225d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6618,6618,2025-09-11 06:07:59.6955389,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build.utilities.v4.0_v4.0_4.0.0.0_b03f5f7f11d50a3a_f24cdb9ca1af6bf0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6619,6619,2025-09-11 06:07:59.6971865,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build.tasks.v4.0_v4.0_4.0.0.0_b03f5f7f11d50a3a_ff8d146a1492e7b0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6620,6620,2025-09-11 06:07:59.6989589,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build.framework_v4.0_4.0.0.0_b03f5f7f11d50a3a_ec1399cb57c30234.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6621,6621,2025-09-11 06:07:59.7005637,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build.engine_v4.0_4.0.0.0_b03f5f7f11d50a3a_d1b26ca5b719fc9a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6622,6622,2025-09-11 06:07:59.7023734,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build.conversion.v4.0_v4.0_4.0.0.0_b03f5f7f11d50a3a_c1a6933f1ab8115a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6623,6623,2025-09-11 06:07:59.7048509,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.build_v4.0_4.0.0.0_b03f5f7f11d50a3a_e8c97ee7398e3b32.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6624,6624,2025-09-11 06:07:59.7071401,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_microsoft.activities.build_v4.0_4.0.0.0_31bf3856ad364e35_70a060c9241b461d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6625,6625,2025-09-11 06:07:59.7094969,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_dfsvc_v4.0_4.0.0.0_b03f5f7f11d50a3a_f80f4392222431f4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6626,6626,2025-09-11 06:07:59.7137879,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_comsvcconfig_v4.0_4.0.0.0_b03f5f7f11d50a3a_c65f47eee12df8e7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6627,6627,2025-09-11 06:07:59.7166560,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_microsoft.net_assembly_gac_msil_accessibility_v4.0_4.0.0.0_b03f5f7f11d50a3a_0172ba8d22e3c372.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6628,6628,2025-09-11 06:07:59.7183516,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_3f581daba4c8c835.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6629,6629,2025-09-11 06:07:59.7209184,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,112,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_windows_workflow_foundation_4.0.0.0_60d60271dbee3c46.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x16AC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6630,6630,2025-09-11 06:07:59.7242390,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_windows_workflow_foundation_4.0.0.0_0000_c87be1b3a7dd87fc.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6631,6631,2025-09-11 06:07:59.7260875,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1BCC""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6632,6632,2025-09-11 06:07:59.7287699,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6633,6633,2025-09-11 06:07:59.7348657,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_msdtc_bridge_4.0.0.0_4d0c545c25fa998f.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6634,6634,2025-09-11 06:07:59.7374918,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_msdtc_bridge_4.0.0.0_0000_4cb1a772183b9c05.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6635,6635,2025-09-11 06:07:59.7389992,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.netframework_266880c2626e99c6.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6636,6636,2025-09-11 06:07:59.7409610,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.netframework_0000_fd6b5f63492732f4.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6637,6637,2025-09-11 06:07:59.7428944,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_memory_cache_4.0_1a15ae299d9ee7c5.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6638,6638,2025-09-11 06:07:59.7445919,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_memory_cache_4.0_0000_64a7b02e442508e7.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6639,6639,2025-09-11 06:07:59.7462700,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_data_provider_for_sqlserver_7cfd5f3e72497ce1.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6640,6640,2025-09-11 06:07:59.7479948,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_data_provider_for_sqlserver_0000_22ef191981b08b2b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6641,6641,2025-09-11 06:07:59.7502949,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_data_provider_for_oracle_07838adde9419766.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6642,6642,2025-09-11 06:07:59.7528147,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_data_provider_for_oracle_0000_1ac87488f00b2af0.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6643,6643,2025-09-11 06:07:59.7556187,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_networking_4.0.0.0_ea306c746014451b.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6644,6644,2025-09-11 06:07:59.7573717,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_networking_4.0.0.0_0000_fb64a89a4648c7eb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6645,6645,2025-09-11 06:07:59.7617461,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_networking_d061836896f4f29d.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6646,6646,2025-09-11 06:07:59.7637419,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_networking_0000_417aaafa90927065.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6647,6647,2025-09-11 06:07:59.7656309,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_data_0864fda87da3c851.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6648,6648,2025-09-11 06:07:59.7672654,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\$$_inf_.net_clr_data_0000_9334e121f0277e71.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6649,6649,2025-09-11 06:07:59.7739187,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\programdata.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6650,6650,2025-09-11 06:07:59.7762460,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\programdata_microsoft_fe5c6d762edd2110.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6651,6651,2025-09-11 06:07:59.7781737,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\programdata_microsoft_netframework_breadcrumbstore_57b12ae7ff4faaeb.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6652,6652,2025-09-11 06:07:59.7799994,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\program_files_x86__676bbe2c7241b694.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6653,6653,2025-09-11 06:07:59.7826480,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\WinSxS\\FileMaps\\program_files_x86_microsoft.net_redistlist_3763988b9360433a.cdf-ms""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;0x1f0116;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6654,6654,2025-09-11 06:07:59.9258264,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Accessibility.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6655,6655,2025-09-11 06:07:59.9265043,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6656,6656,2025-09-11 06:07:59.9271331,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6657,6657,2025-09-11 06:07:59.9276633,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInUtil.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6658,6658,2025-09-11 06:07:59.9283762,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AdoNetDiag.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6659,6659,2025-09-11 06:07:59.9290081,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\alink.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6660,6660,2025-09-11 06:07:59.9295959,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6661,6661,2025-09-11 06:07:59.9302404,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6662,6662,2025-09-11 06:07:59.9307706,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_filter.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6663,6663,2025-09-11 06:07:59.9315071,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_isapi.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6664,6664,2025-09-11 06:07:59.9320525,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Aspnet_perf.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6665,6665,2025-09-11 06:07:59.9325679,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_rc.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6666,6666,2025-09-11 06:07:59.9332482,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_regbrowsers.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6667,6667,2025-09-11 06:07:59.9337999,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_regiis.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6668,6668,2025-09-11 06:07:59.9351573,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,12,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_regsql.exe""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6669,6669,2025-09-11 06:07:59.9362045,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_state.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6670,6670,2025-09-11 06:07:59.9377304,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_wp.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6671,6671,2025-09-11 06:07:59.9393397,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CasPol.exe""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6672,6672,2025-09-11 06:07:59.9404036,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6673,6673,2025-09-11 06:07:59.9417250,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrcompression.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6674,6674,2025-09-11 06:07:59.9426615,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clretwrc.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6675,6675,2025-09-11 06:07:59.9433724,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6676,6676,2025-09-11 06:07:59.9439114,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ComSvcConfig.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6677,6677,2025-09-11 06:07:59.9444921,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CORPerfMonExt.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6678,6678,2025-09-11 06:07:59.9451572,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6679,6679,2025-09-11 06:07:59.9456840,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Culture.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6680,6680,2025-09-11 06:07:59.9462348,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CustomMarshalers.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6681,6681,2025-09-11 06:07:59.9469182,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6682,6682,2025-09-11 06:07:59.9481512,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\DataSvcUtil.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6683,6683,2025-09-11 06:07:59.9510112,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfdll.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6684,6684,2025-09-11 06:07:59.9520930,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6685,6685,2025-09-11 06:07:59.9528959,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\diasymreader.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6686,6686,2025-09-11 06:07:59.9539345,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\EdmGen.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6687,6687,2025-09-11 06:07:59.9555642,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\EventLogMessages.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6688,6688,2025-09-11 06:07:59.9570804,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\FileTracker.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6689,6689,2025-09-11 06:07:59.9580478,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\fusion.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6690,6690,2025-09-11 06:07:59.9589561,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6691,6691,2025-09-11 06:07:59.9600241,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6692,6692,2025-09-11 06:07:59.9607837,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtilLib.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6693,6693,2025-09-11 06:07:59.9616304,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ISymWrapper.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6694,6694,2025-09-11 06:07:59.9624205,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6695,6695,2025-09-11 06:07:59.9644689,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Activities.Build.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6696,6696,2025-09-11 06:07:59.9651292,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.Conversion.v4.0.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6697,6697,2025-09-11 06:07:59.9657068,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6698,6698,2025-09-11 06:07:59.9663052,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.Engine.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6699,6699,2025-09-11 06:07:59.9668682,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.Framework.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6700,6700,2025-09-11 06:07:59.9674657,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6701,6701,2025-09-11 06:07:59.9680344,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Build.Utilities.v4.0.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6702,6702,2025-09-11 06:07:59.9684957,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.CSharp.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6703,6703,2025-09-11 06:07:59.9691919,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Data.Entity.Build.Tasks.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6704,6704,2025-09-11 06:07:59.9707320,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Internal.Tasks.Dataflow.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6705,6705,2025-09-11 06:07:59.9718830,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.JScript.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6706,6706,2025-09-11 06:07:59.9732568,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.JScript.tlb""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6707,6707,2025-09-11 06:07:59.9738962,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Transactions.Bridge.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6708,6708,2025-09-11 06:07:59.9745489,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,992,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Transactions.Bridge.Dtc.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6709,6709,2025-09-11 06:07:59.9757370,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.VisualBasic.Activities.Compiler.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6710,6710,2025-09-11 06:07:59.9765627,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.VisualBasic.Compatibility.Data.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6711,6711,2025-09-11 06:07:59.9773322,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.VisualBasic.Compatibility.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6712,6712,2025-09-11 06:07:59.9782333,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.VisualBasic.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6713,6713,2025-09-11 06:07:59.9793555,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Win32.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6714,6714,2025-09-11 06:07:59.9801505,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Windows.ApplicationServer.Applications.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6715,6715,2025-09-11 06:07:59.9809617,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Microsoft.Workflow.Compiler.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6716,6716,2025-09-11 06:07:59.9816245,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MmcAspExt.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6717,6717,2025-09-11 06:07:59.9836309,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6718,6718,2025-09-11 06:07:59.9851155,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscordacwks.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6719,6719,2025-09-11 06:07:59.9860622,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscordbi.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6720,6720,2025-09-11 06:07:59.9868009,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoree.tlb""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6721,6721,2025-09-11 06:07:59.9877929,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6722,6722,2025-09-11 06:07:59.9886525,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreeis.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6723,6723,2025-09-11 06:07:59.9894639,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6724,6724,2025-09-11 06:07:59.9901223,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorpe.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6725,6725,2025-09-11 06:07:59.9908689,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorpehost.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6726,6726,2025-09-11 06:07:59.9933880,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6727,6727,2025-09-11 06:07:59.9940590,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsecimpl.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6728,6728,2025-09-11 06:07:59.9946757,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsn.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6729,6729,2025-09-11 06:07:59.9958683,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvc.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6730,6730,2025-09-11 06:07:59.9968201,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6731,6731,2025-09-11 06:07:59.9980962,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\netstandard.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6732,6732,2025-09-11 06:07:59.9998553,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6733,6733,2025-09-11 06:08:00.0019579,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,13,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6734,6734,2025-09-11 06:08:00.0041597,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\PerfCounter.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6735,6735,2025-09-11 06:08:00.0051670,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\peverify.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6736,6736,2025-09-11 06:08:00.0056088,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6737,6737,2025-09-11 06:08:00.0062897,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6738,6738,2025-09-11 06:08:00.0069097,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\SbsNclPerf.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6739,6739,2025-09-11 06:08:00.0075690,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,960,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelEvents.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6740,6740,2025-09-11 06:08:00.0081073,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelInstallRC.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6741,6741,2025-09-11 06:08:00.0087459,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelPerformanceCounters.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6742,6742,2025-09-11 06:08:00.0093401,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelReg.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6743,6743,2025-09-11 06:08:00.0100292,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelRegUI.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6744,6744,2025-09-11 06:08:00.0106387,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceMonikerSupport.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6745,6745,2025-09-11 06:08:00.0111613,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\SMDiagnostics.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6746,6746,2025-09-11 06:08:00.0116814,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\SMSvcHost.exe""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6747,6747,2025-09-11 06:08:00.0123557,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\SOS.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6748,6748,2025-09-11 06:08:00.0128477,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sysglobl.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6749,6749,2025-09-11 06:08:00.0134584,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Activities.Core.Presentation.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6750,6750,2025-09-11 06:08:00.0139894,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Activities.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6751,6751,2025-09-11 06:08:00.0146307,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Activities.DurableInstancing.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6752,6752,2025-09-11 06:08:00.0150985,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Activities.Presentation.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6753,6753,2025-09-11 06:08:00.0157245,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.AddIn.Contract.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6754,6754,2025-09-11 06:08:00.0167862,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.AddIn.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6755,6755,2025-09-11 06:08:00.0173651,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.AppContext.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6756,6756,2025-09-11 06:08:00.0178423,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Collections.Concurrent.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6757,6757,2025-09-11 06:08:00.0187508,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Collections.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6758,6758,2025-09-11 06:08:00.0193464,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Collections.NonGeneric.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6759,6759,2025-09-11 06:08:00.0197726,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Collections.Specialized.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6760,6760,2025-09-11 06:08:00.0203475,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.Annotations.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6761,6761,2025-09-11 06:08:00.0213509,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.Composition.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6762,6762,2025-09-11 06:08:00.0221770,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\system.componentmodel.composition.registration.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6763,6763,2025-09-11 06:08:00.0234332,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.DataAnnotations.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6764,6764,2025-09-11 06:08:00.0242863,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6765,6765,2025-09-11 06:08:00.0261698,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.EventBasedAsync.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6766,6766,2025-09-11 06:08:00.0267453,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6767,6767,2025-09-11 06:08:00.0272965,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ComponentModel.TypeConverter.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6768,6768,2025-09-11 06:08:00.0279948,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Configuration.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6769,6769,2025-09-11 06:08:00.0286918,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Configuration.Install.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6770,6770,2025-09-11 06:08:00.0292532,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Console.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6771,6771,2025-09-11 06:08:00.0298057,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Core.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6772,6772,2025-09-11 06:08:00.0341304,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Common.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6773,6773,2025-09-11 06:08:00.0351318,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.DataSetExtensions.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6774,6774,2025-09-11 06:08:00.0366033,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6775,6775,2025-09-11 06:08:00.0372572,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Entity.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6776,6776,2025-09-11 06:08:00.0378065,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Entity.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6777,6777,2025-09-11 06:08:00.0385843,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Linq.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6778,6778,2025-09-11 06:08:00.0401178,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.OracleClient.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6779,6779,2025-09-11 06:08:00.0434070,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Services.Client.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6780,6780,2025-09-11 06:08:00.0447968,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Services.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6781,6781,2025-09-11 06:08:00.0454832,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.Services.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6782,6782,2025-09-11 06:08:00.0460886,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Data.SqlXml.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6783,6783,2025-09-11 06:08:00.0467526,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Deployment.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6784,6784,2025-09-11 06:08:00.0478851,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6785,6785,2025-09-11 06:08:00.0509792,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Device.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6786,6786,2025-09-11 06:08:00.0524559,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.Contracts.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6787,6787,2025-09-11 06:08:00.0533214,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.Debug.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6788,6788,2025-09-11 06:08:00.0542591,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.FileVersionInfo.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6789,6789,2025-09-11 06:08:00.0552630,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.Process.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6790,6790,2025-09-11 06:08:00.0556391,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.StackTrace.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6791,6791,2025-09-11 06:08:00.0560392,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.TextWriterTraceListener.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6792,6792,2025-09-11 06:08:00.0565023,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.Tools.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6793,6793,2025-09-11 06:08:00.0606302,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.TraceSource.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6794,6794,2025-09-11 06:08:00.0654189,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Diagnostics.Tracing.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6795,6795,2025-09-11 06:08:00.0658719,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.DirectoryServices.AccountManagement.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6796,6796,2025-09-11 06:08:00.0670506,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.DirectoryServices.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6797,6797,2025-09-11 06:08:00.0670558,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,14,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.DirectoryServices.Protocols.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6798,6798,2025-09-11 06:08:00.0675651,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6799,6799,2025-09-11 06:08:00.0681626,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Drawing.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6800,6800,2025-09-11 06:08:00.0687320,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Drawing.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6801,6801,2025-09-11 06:08:00.0690199,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Drawing.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6802,6802,2025-09-11 06:08:00.0698067,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Drawing.tlb""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6803,6803,2025-09-11 06:08:00.0703438,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Dynamic.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6804,6804,2025-09-11 06:08:00.0710907,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Dynamic.Runtime.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6805,6805,2025-09-11 06:08:00.0715837,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.EnterpriseServices.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6806,6806,2025-09-11 06:08:00.0722162,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.EnterpriseServices.Thunk.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6807,6807,2025-09-11 06:08:00.0746211,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.EnterpriseServices.tlb""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6808,6808,2025-09-11 06:08:00.0752789,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.EnterpriseServices.Wrapper.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6809,6809,2025-09-11 06:08:00.0761686,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Globalization.Calendars.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6810,6810,2025-09-11 06:08:00.0780652,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Globalization.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6811,6811,2025-09-11 06:08:00.0785339,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Globalization.Extensions.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6812,6812,2025-09-11 06:08:00.0794338,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IdentityModel.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6813,6813,2025-09-11 06:08:00.0807945,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3288,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IdentityModel.Selectors.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6814,6814,2025-09-11 06:08:00.0824506,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,340,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IdentityModel.Services.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6815,6815,2025-09-11 06:08:00.0830994,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,340,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.Compression.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6816,6816,2025-09-11 06:08:00.0837391,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,340,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.Compression.FileSystem.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6817,6817,2025-09-11 06:08:00.0846238,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.Compression.ZipFile.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6818,6818,2025-09-11 06:08:00.1246648,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6819,6819,2025-09-11 06:08:00.1295083,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.FileSystem.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6820,6820,2025-09-11 06:08:00.1303800,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.FileSystem.DriveInfo.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6821,6821,2025-09-11 06:08:00.1321266,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.FileSystem.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6822,6822,2025-09-11 06:08:00.1336751,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.FileSystem.Watcher.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6823,6823,2025-09-11 06:08:00.1361844,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.IsolatedStorage.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6824,6824,2025-09-11 06:08:00.1372035,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.Log.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6825,6825,2025-09-11 06:08:00.1378346,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.MemoryMappedFiles.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6826,6826,2025-09-11 06:08:00.1392387,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.Pipes.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6827,6827,2025-09-11 06:08:00.1399334,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.IO.UnmanagedMemoryStream.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6828,6828,2025-09-11 06:08:00.1404588,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Linq.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6829,6829,2025-09-11 06:08:00.1409737,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Linq.Expressions.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6830,6830,2025-09-11 06:08:00.1415023,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Linq.Parallel.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6831,6831,2025-09-11 06:08:00.1420501,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Linq.Queryable.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6832,6832,2025-09-11 06:08:00.1425876,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Management.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6833,6833,2025-09-11 06:08:00.1431163,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Management.Instrumentation.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6834,6834,2025-09-11 06:08:00.1442711,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Messaging.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6835,6835,2025-09-11 06:08:00.1461381,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6836,6836,2025-09-11 06:08:00.1472622,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Http.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6837,6837,2025-09-11 06:08:00.1478882,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Http.Rtc.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6838,6838,2025-09-11 06:08:00.1485018,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Http.WebRequest.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6839,6839,2025-09-11 06:08:00.1492149,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.NameResolution.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6840,6840,2025-09-11 06:08:00.1502400,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.NetworkInformation.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6841,6841,2025-09-11 06:08:00.1508421,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Ping.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6842,6842,2025-09-11 06:08:00.1515942,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6843,6843,2025-09-11 06:08:00.1521189,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Requests.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6844,6844,2025-09-11 06:08:00.1529436,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Security.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6845,6845,2025-09-11 06:08:00.1532187,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.Sockets.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6846,6846,2025-09-11 06:08:00.1538169,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.WebHeaderCollection.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6847,6847,2025-09-11 06:08:00.1543489,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.WebSockets.Client.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6848,6848,2025-09-11 06:08:00.1549198,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Net.WebSockets.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6849,6849,2025-09-11 06:08:00.1554028,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Numerics.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6850,6850,2025-09-11 06:08:00.1559236,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Numerics.Vectors.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6851,6851,2025-09-11 06:08:00.1571367,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ObjectModel.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6852,6852,2025-09-11 06:08:00.1577628,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.context.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6853,6853,2025-09-11 06:08:00.1583057,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6854,6854,2025-09-11 06:08:00.1601319,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.Emit.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6855,6855,2025-09-11 06:08:00.1616952,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.Emit.ILGeneration.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6856,6856,2025-09-11 06:08:00.1639923,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.Emit.Lightweight.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6857,6857,2025-09-11 06:08:00.1653442,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.Extensions.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6858,6858,2025-09-11 06:08:00.1665256,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Reflection.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6859,6859,2025-09-11 06:08:00.1674007,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Resources.Reader.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6860,6860,2025-09-11 06:08:00.1689506,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Resources.ResourceManager.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6861,6861,2025-09-11 06:08:00.1701642,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,15,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Resources.Writer.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6862,6862,2025-09-11 06:08:00.1716964,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Caching.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6863,6863,2025-09-11 06:08:00.1727112,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.CompilerServices.VisualC.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6864,6864,2025-09-11 06:08:00.1737104,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6865,6865,2025-09-11 06:08:00.1750222,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.DurableInstancing.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6866,6866,2025-09-11 06:08:00.1756637,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Extensions.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6867,6867,2025-09-11 06:08:00.1774113,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Handles.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6868,6868,2025-09-11 06:08:00.1781672,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.InteropServices.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6869,6869,2025-09-11 06:08:00.1785889,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.InteropServices.RuntimeInformation.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6870,6870,2025-09-11 06:08:00.1799142,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.InteropServices.WindowsRuntime.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6871,6871,2025-09-11 06:08:00.1808533,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Numerics.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6872,6872,2025-09-11 06:08:00.1815311,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Remoting.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6873,6873,2025-09-11 06:08:00.1830394,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6874,6874,2025-09-11 06:08:00.1840235,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.Formatters.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6875,6875,2025-09-11 06:08:00.1847247,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.Formatters.Soap.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6876,6876,2025-09-11 06:08:00.1854869,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.Json.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6877,6877,2025-09-11 06:08:00.1865517,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6878,6878,2025-09-11 06:08:00.1884401,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.Serialization.Xml.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6879,6879,2025-09-11 06:08:00.1906086,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.WindowsRuntime.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6880,6880,2025-09-11 06:08:00.1921246,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Runtime.WindowsRuntime.UI.Xaml.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6881,6881,2025-09-11 06:08:00.1932563,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Claims.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6882,6882,2025-09-11 06:08:00.1945634,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Cryptography.Algorithms.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6883,6883,2025-09-11 06:08:00.1958716,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Cryptography.Csp.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6884,6884,2025-09-11 06:08:00.1982612,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Cryptography.Encoding.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6885,6885,2025-09-11 06:08:00.1987847,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Cryptography.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6886,6886,2025-09-11 06:08:00.1991151,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Cryptography.X509Certificates.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6887,6887,2025-09-11 06:08:00.1999288,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6888,6888,2025-09-11 06:08:00.2012257,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.Principal.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6889,6889,2025-09-11 06:08:00.2018603,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Security.SecureString.dll""},{""@Name"":""HandleId"",""#text"":""0x23EC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6890,6890,2025-09-11 06:08:00.2030531,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Activation.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6891,6891,2025-09-11 06:08:00.2043576,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Activities.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6892,6892,2025-09-11 06:08:00.2062415,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Channels.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6893,6893,2025-09-11 06:08:00.2076864,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Discovery.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6894,6894,2025-09-11 06:08:00.2088327,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6895,6895,2025-09-11 06:08:00.2097940,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Duplex.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6896,6896,2025-09-11 06:08:00.2106259,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Http.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6897,6897,2025-09-11 06:08:00.2109401,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Internals.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6898,6898,2025-09-11 06:08:00.2116015,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.NetTcp.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6899,6899,2025-09-11 06:08:00.2122690,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Primitives.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6900,6900,2025-09-11 06:08:00.2130930,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Routing.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6901,6901,2025-09-11 06:08:00.2134121,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Security.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6902,6902,2025-09-11 06:08:00.2139333,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.ServiceMoniker40.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6903,6903,2025-09-11 06:08:00.2149992,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.WasHosting.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6904,6904,2025-09-11 06:08:00.2152886,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceModel.Web.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6905,6905,2025-09-11 06:08:00.2177159,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ServiceProcess.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6906,6906,2025-09-11 06:08:00.2195838,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Text.Encoding.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6907,6907,2025-09-11 06:08:00.2228532,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Text.Encoding.Extensions.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6908,6908,2025-09-11 06:08:00.2239958,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Text.RegularExpressions.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6909,6909,2025-09-11 06:08:00.2253441,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6910,6910,2025-09-11 06:08:00.2262816,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.Overlapped.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6911,6911,2025-09-11 06:08:00.2277088,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.Tasks.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6912,6912,2025-09-11 06:08:00.2294271,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.Tasks.Parallel.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6913,6913,2025-09-11 06:08:00.2308533,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.Thread.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6914,6914,2025-09-11 06:08:00.2326994,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.ThreadPool.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6915,6915,2025-09-11 06:08:00.2352328,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Threading.Timer.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6916,6916,2025-09-11 06:08:00.2359431,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.tlb""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6917,6917,2025-09-11 06:08:00.2365952,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Transactions.dll""},{""@Name"":""HandleId"",""#text"":""0x1F80""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6918,6918,2025-09-11 06:08:00.2377332,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.ValueTuple.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6919,6919,2025-09-11 06:08:00.2393234,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Abstractions.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6920,6920,2025-09-11 06:08:00.2406323,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.ApplicationServices.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6921,6921,2025-09-11 06:08:00.2414313,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.DataVisualization.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6922,6922,2025-09-11 06:08:00.2424992,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.DataVisualization.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6923,6923,2025-09-11 06:08:00.2440601,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6924,6924,2025-09-11 06:08:00.2459477,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,16,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.DynamicData.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6925,6925,2025-09-11 06:08:00.2473686,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.DynamicData.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6926,6926,2025-09-11 06:08:00.2487674,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Entity.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6927,6927,2025-09-11 06:08:00.2499688,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Entity.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6928,6928,2025-09-11 06:08:00.2509542,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Extensions.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6929,6929,2025-09-11 06:08:00.2517918,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Extensions.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6930,6930,2025-09-11 06:08:00.2525135,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Mobile.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6931,6931,2025-09-11 06:08:00.2530577,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.RegularExpressions.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6932,6932,2025-09-11 06:08:00.2536052,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Routing.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6933,6933,2025-09-11 06:08:00.2542194,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.Services.dll""},{""@Name"":""HandleId"",""#text"":""0x144C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6934,6934,2025-09-11 06:08:00.2548185,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.tlb""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6935,6935,2025-09-11 06:08:00.2569282,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Windows.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6936,6936,2025-09-11 06:08:00.2583994,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Windows.Forms.DataVisualization.Design.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6937,6937,2025-09-11 06:08:00.2595287,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Windows.Forms.DataVisualization.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6938,6938,2025-09-11 06:08:00.2604641,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Windows.Forms.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6939,6939,2025-09-11 06:08:00.2622350,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Windows.Forms.tlb""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6940,6940,2025-09-11 06:08:00.2631772,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Workflow.Activities.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6941,6941,2025-09-11 06:08:00.2639740,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Workflow.ComponentModel.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6942,6942,2025-09-11 06:08:00.2642985,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Workflow.Runtime.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6943,6943,2025-09-11 06:08:00.2648635,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.WorkflowServices.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6944,6944,2025-09-11 06:08:00.2655977,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xaml.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6945,6945,2025-09-11 06:08:00.2661400,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xaml.Hosting.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6946,6946,2025-09-11 06:08:00.2668236,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.XML.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6947,6947,2025-09-11 06:08:00.2674193,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.Linq.dll""},{""@Name"":""HandleId"",""#text"":""0x1B9C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6948,6948,2025-09-11 06:08:00.2686136,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.ReaderWriter.dll""},{""@Name"":""HandleId"",""#text"":""0x2818""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6949,6949,2025-09-11 06:08:00.2686190,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.Serialization.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6950,6950,2025-09-11 06:08:00.2710040,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.XDocument.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6951,6951,2025-09-11 06:08:00.2717031,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.XmlDocument.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6952,6952,2025-09-11 06:08:00.2724285,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.XmlSerializer.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6953,6953,2025-09-11 06:08:00.2729085,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.XPath.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6954,6954,2025-09-11 06:08:00.2736082,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Xml.XPath.XDocument.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6955,6955,2025-09-11 06:08:00.2742652,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\TLBREF.DLL""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6956,6956,2025-09-11 06:08:00.2747822,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6957,6957,2025-09-11 06:08:00.2757036,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\webengine.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6958,6958,2025-09-11 06:08:00.2763499,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\webengine4.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6959,6959,2025-09-11 06:08:00.2769146,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WMINet_Utils.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6960,6960,2025-09-11 06:08:00.2775449,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6961,6961,2025-09-11 06:08:00.2780996,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WsatConfig.exe""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6962,6962,2025-09-11 06:08:00.2790113,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\XamlBuildTask.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6963,6963,2025-09-11 06:08:00.2801711,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\XsdBuildTask.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6964,6964,2025-09-11 06:08:00.2816767,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\1033\\alinkui.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6965,6965,2025-09-11 06:08:00.2822710,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\1033\\cscui.dll""},{""@Name"":""HandleId"",""#text"":""0x14C4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6966,6966,2025-09-11 06:08:00.2828709,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\1033\\FileTrackerUI.dll""},{""@Name"":""HandleId"",""#text"":""0x120C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6967,6967,2025-09-11 06:08:00.2835389,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\1033\\vbc7ui.dll""},{""@Name"":""HandleId"",""#text"":""0x12DC""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6968,6968,2025-09-11 06:08:00.2849267,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MUI\\0409\\mscorsecr.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6969,6969,2025-09-11 06:08:00.2861188,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\NativeImages\\mscorlib.ni.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6970,6970,2025-09-11 06:08:00.2868813,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\NaturalLanguage6.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6971,6971,2025-09-11 06:08:00.2873752,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\NlsData0009.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6972,6972,2025-09-11 06:08:00.2881180,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\NlsLexicons0009.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6973,6973,2025-09-11 06:08:00.2900329,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PenIMC.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6974,6974,2025-09-11 06:08:00.2919691,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PenIMC2_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6975,6975,2025-09-11 06:08:00.2927320,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PenIMC_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6976,6976,2025-09-11 06:08:00.2936262,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationBuildTasks.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6977,6977,2025-09-11 06:08:00.2945060,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationCore.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6978,6978,2025-09-11 06:08:00.2950952,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework-SystemCore.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6979,6979,2025-09-11 06:08:00.2957367,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework-SystemData.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6980,6980,2025-09-11 06:08:00.2963568,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework-SystemDrawing.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6981,6981,2025-09-11 06:08:00.2969537,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework-SystemXml.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6982,6982,2025-09-11 06:08:00.2974682,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework-SystemXmlLinq.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6983,6983,2025-09-11 06:08:00.2980393,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.Aero.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6984,6984,2025-09-11 06:08:00.2986359,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.Aero2.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6985,6985,2025-09-11 06:08:00.2992325,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.AeroLite.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6986,6986,2025-09-11 06:08:00.2998098,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.Classic.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6987,6987,2025-09-11 06:08:00.3004196,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.dll""},{""@Name"":""HandleId"",""#text"":""0x195C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6988,6988,2025-09-11 06:08:00.3020789,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,17,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.Luna.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6989,6989,2025-09-11 06:08:00.3032864,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationFramework.Royale.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6990,6990,2025-09-11 06:08:00.3043601,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationHost_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6991,6991,2025-09-11 06:08:00.3050356,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationNative_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6992,6992,2025-09-11 06:08:00.3066218,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\PresentationUI.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6993,6993,2025-09-11 06:08:00.3073628,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\ReachFramework.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6994,6994,2025-09-11 06:08:00.3079800,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\System.Printing.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6995,6995,2025-09-11 06:08:00.3085625,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\System.Speech.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6996,6996,2025-09-11 06:08:00.3092019,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\System.Windows.Controls.Ribbon.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6997,6997,2025-09-11 06:08:00.3097853,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\System.Windows.Input.Manipulations.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6998,6998,2025-09-11 06:08:00.3105069,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\System.Windows.Presentation.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
6999,6999,2025-09-11 06:08:00.3109738,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\UIAutomationClient.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7000,7000,2025-09-11 06:08:00.3121256,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\UIAutomationClientsideProviders.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7001,7001,2025-09-11 06:08:00.3126652,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\UIAutomationProvider.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7002,7002,2025-09-11 06:08:00.3135171,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\UIAutomationTypes.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7003,7003,2025-09-11 06:08:00.3146036,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\WindowsBase.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7004,7004,2025-09-11 06:08:00.3149944,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\WindowsFormsIntegration.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7005,7005,2025-09-11 06:08:00.3161012,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\wpfgfx_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7006,7006,2025-09-11 06:08:00.3168257,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF\\en-US\\PresentationHost_v0400.dll.mui""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7007,7007,2025-09-11 06:08:00.3184695,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInProcess32.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7008,7008,2025-09-11 06:08:00.3196870,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AdoNetDiag.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7009,7009,2025-09-11 06:08:00.3203110,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\alink.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7010,7010,2025-09-11 06:08:00.3217930,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AppLaunch.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7011,7011,2025-09-11 06:08:00.3222428,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_compiler.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7012,7012,2025-09-11 06:08:00.3230848,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_filter.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7013,7013,2025-09-11 06:08:00.3239251,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_isapi.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7014,7014,2025-09-11 06:08:00.3246644,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Aspnet_perf.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7015,7015,2025-09-11 06:08:00.3253439,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_rc.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7016,7016,2025-09-11 06:08:00.3261367,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regbrowsers.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7017,7017,2025-09-11 06:08:00.3265982,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regiis.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7018,7018,2025-09-11 06:08:00.3271599,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regsql.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7019,7019,2025-09-11 06:08:00.3277550,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_state.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7020,7020,2025-09-11 06:08:00.3283858,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_wp.exe""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7021,7021,2025-09-11 06:08:00.3290839,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CasPol.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7022,7022,2025-09-11 06:08:00.3296813,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7023,7023,2025-09-11 06:08:00.3305379,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrcompression.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7024,7024,2025-09-11 06:08:00.3309694,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clretwrc.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7025,7025,2025-09-11 06:08:00.3316946,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7026,7026,2025-09-11 06:08:00.3319613,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\compatjit.dll""},{""@Name"":""HandleId"",""#text"":""0xF88""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7027,7027,2025-09-11 06:08:00.3366622,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CORPerfMonExt.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7028,7028,2025-09-11 06:08:00.3416112,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7029,7029,2025-09-11 06:08:00.3447839,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Culture.dll""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7030,7030,2025-09-11 06:08:00.3491586,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CustomMarshalers.dll""},{""@Name"":""HandleId"",""#text"":""0x2600""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7031,7031,2025-09-11 06:08:00.3530494,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\cvtres.exe""},{""@Name"":""HandleId"",""#text"":""0x2204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7032,7032,2025-09-11 06:08:00.3606497,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\dfdll.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7033,7033,2025-09-11 06:08:00.3665179,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\diasymreader.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7034,7034,2025-09-11 06:08:00.3730222,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\EventLogMessages.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7035,7035,2025-09-11 06:08:00.3778723,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\FileTracker.dll""},{""@Name"":""HandleId"",""#text"":""0x1204""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7036,7036,2025-09-11 06:08:00.3859128,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\fusion.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7037,7037,2025-09-11 06:08:00.3940911,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ilasm.exe""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7038,7038,2025-09-11 06:08:00.3997064,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7039,7039,2025-09-11 06:08:00.4065504,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtilLib.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7040,7040,2025-09-11 06:08:00.4134564,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ISymWrapper.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7041,7041,2025-09-11 06:08:00.4368957,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\jsc.exe""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7042,7042,2025-09-11 06:08:00.4641760,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.JScript.tlb""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7043,7043,2025-09-11 06:08:00.4788950,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.Transactions.Bridge.Dtc.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7044,7044,2025-09-11 06:08:00.4874497,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Microsoft.VisualBasic.Activities.Compiler.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7045,7045,2025-09-11 06:08:00.5153898,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MmcAspExt.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7046,7046,2025-09-11 06:08:00.5198126,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7047,7047,2025-09-11 06:08:00.5289731,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscordacwks.dll""},{""@Name"":""HandleId"",""#text"":""0xE14""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7048,7048,2025-09-11 06:08:00.5371293,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscordbi.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7049,7049,2025-09-11 06:08:00.5434989,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoree.tlb""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7050,7050,2025-09-11 06:08:00.5572988,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7051,7051,2025-09-11 06:08:00.5613493,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreeis.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7052,7052,2025-09-11 06:08:00.5670820,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorlib.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7053,7053,2025-09-11 06:08:00.5752024,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,18,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorpe.dll""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7054,7054,2025-09-11 06:08:00.5836679,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorpehost.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7055,7055,2025-09-11 06:08:00.5956821,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7056,7056,2025-09-11 06:08:00.6027978,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsecimpl.dll""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7057,7057,2025-09-11 06:08:00.6099910,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsn.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7058,7058,2025-09-11 06:08:00.6168091,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvc.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7059,7059,2025-09-11 06:08:00.6217223,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7060,7060,2025-09-11 06:08:00.6304892,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngen.exe""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7061,7061,2025-09-11 06:08:00.6378202,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7062,7062,2025-09-11 06:08:00.6455769,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentasklauncher.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7063,7063,2025-09-11 06:08:00.6549496,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\PerfCounter.dll""},{""@Name"":""HandleId"",""#text"":""0x24F0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7064,7064,2025-09-11 06:08:00.6607940,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\peverify.dll""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7065,7065,2025-09-11 06:08:00.6668177,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\RegAsm.exe""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7066,7066,2025-09-11 06:08:00.6792326,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\RegSvcs.exe""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7067,7067,2025-09-11 06:08:00.6849146,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\SbsNclPerf.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7068,7068,2025-09-11 06:08:00.6986719,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelEvents.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7069,7069,2025-09-11 06:08:00.7098063,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelInstallRC.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7070,7070,2025-09-11 06:08:00.7155637,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7071,7071,2025-09-11 06:08:00.7209678,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelReg.exe""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7072,7072,2025-09-11 06:08:00.7256521,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelRegUI.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7073,7073,2025-09-11 06:08:00.7305970,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceMonikerSupport.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7074,7074,2025-09-11 06:08:00.7484808,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,188,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\SOS.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7075,7075,2025-09-11 06:08:00.8435818,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Data.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7076,7076,2025-09-11 06:08:00.8489006,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Data.OracleClient.dll""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7077,7077,2025-09-11 06:08:00.8843860,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Drawing.tlb""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7078,7078,2025-09-11 06:08:00.8984375,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.EnterpriseServices.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7079,7079,2025-09-11 06:08:00.9166857,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.EnterpriseServices.Thunk.dll""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7080,7080,2025-09-11 06:08:00.9310467,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.EnterpriseServices.tlb""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7081,7081,2025-09-11 06:08:00.9338485,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,272,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.EnterpriseServices.Wrapper.dll""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7082,7082,2025-09-11 06:08:01.1041843,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.tlb""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7083,7083,2025-09-11 06:08:01.1156619,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Transactions.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7084,7084,2025-09-11 06:08:01.1253511,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Web.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7085,7085,2025-09-11 06:08:01.1504419,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Web.tlb""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7086,7086,2025-09-11 06:08:01.1714907,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\System.Windows.Forms.tlb""},{""@Name"":""HandleId"",""#text"":""0xE24""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7087,7087,2025-09-11 06:08:01.2221156,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\TLBREF.DLL""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7088,7088,2025-09-11 06:08:01.2280688,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\vbc.exe""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7089,7089,2025-09-11 06:08:01.2434111,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\webengine.dll""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7090,7090,2025-09-11 06:08:01.2604330,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\webengine4.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7091,7091,2025-09-11 06:08:01.2654265,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WMINet_Utils.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7092,7092,2025-09-11 06:08:01.2726218,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7093,7093,2025-09-11 06:08:01.2853332,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\1033\\alinkui.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7094,7094,2025-09-11 06:08:01.2963987,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\1033\\cscui.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7095,7095,2025-09-11 06:08:01.3058823,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\1033\\FileTrackerUI.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7096,7096,2025-09-11 06:08:01.3237804,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\1033\\vbc7ui.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7097,7097,2025-09-11 06:08:01.3373750,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MUI\\0409\\mscorsecr.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7098,7098,2025-09-11 06:08:01.3444429,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\NativeImages\\mscorlib.ni.dll""},{""@Name"":""HandleId"",""#text"":""0x2FA0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7099,7099,2025-09-11 06:08:01.3494181,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\NaturalLanguage6.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7100,7100,2025-09-11 06:08:01.3591082,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\NlsData0009.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7101,7101,2025-09-11 06:08:01.3658374,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\NlsLexicons0009.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7102,7102,2025-09-11 06:08:01.3723335,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PenIMC.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7103,7103,2025-09-11 06:08:01.3817027,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PenIMC2_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7104,7104,2025-09-11 06:08:01.3858068,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PenIMC_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7105,7105,2025-09-11 06:08:01.3922444,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PresentationCore.dll""},{""@Name"":""HandleId"",""#text"":""0x2CB8""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7106,7106,2025-09-11 06:08:01.4251207,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PresentationHost_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7107,7107,2025-09-11 06:08:01.4307857,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\PresentationNative_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7108,7108,2025-09-11 06:08:01.4451810,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\System.Printing.dll""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7109,7109,2025-09-11 06:08:01.4724002,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,960,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\wpfgfx_v0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7110,7110,2025-09-11 06:08:01.4825795,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WPF\\en-US\\PresentationHost_v0400.dll.mui""},{""@Name"":""HandleId"",""#text"":""0x1EB0""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7111,7111,2025-09-11 06:08:01.4904215,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\Migration\\WTR\\netfx45_upgradecleanup.inf""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7112,7112,2025-09-11 06:08:01.4952030,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\aspnet_counters.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7113,7113,2025-09-11 06:08:01.5070974,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\msvcp140_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7114,7114,2025-09-11 06:08:01.5113634,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\msvcr100_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x127C""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7115,7115,2025-09-11 06:08:01.5175738,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\ucrtbase_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7116,7116,2025-09-11 06:08:01.5242150,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\vcruntime140_1_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7117,7117,2025-09-11 06:08:01.5300757,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\System32\\vcruntime140_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7118,7118,2025-09-11 06:08:01.5365147,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,19,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\SysWOW64\\aspnet_counters.dll""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7119,7119,2025-09-11 06:08:01.5465932,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\SysWOW64\\msvcp140_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x1404""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7120,7120,2025-09-11 06:08:01.5513487,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\SysWOW64\\msvcr100_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x2370""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7121,7121,2025-09-11 06:08:01.5597648,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,336,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\SysWOW64\\ucrtbase_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x12D4""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7122,7122,2025-09-11 06:08:01.5708729,4907,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,292,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""ObjectServer"",""#text"":""Security""},{""@Name"":""ObjectType"",""#text"":""File""},{""@Name"":""ObjectName"",""#text"":""C:\\Windows\\SysWOW64\\vcruntime140_clr0400.dll""},{""@Name"":""HandleId"",""#text"":""0x3058""},{""@Name"":""OldSd"",""#text"":""S:AINO_ACCESS_CONTROL""},{""@Name"":""NewSd"",""#text"":""S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)""},{""@Name"":""ProcessId"",""#text"":""0x710""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5911_none_7dd4fd687cb889e8\\TiWorker.exe""}]}}"
7123,7123,2025-09-11 06:08:15.0299328,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7124,7124,2025-09-11 06:08:15.0299421,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7125,7125,2025-09-11 06:08:15.3125432,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0xE9C,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xE9C""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
7126,7126,2025-09-11 06:08:15.3230149,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7127,7127,2025-09-11 06:08:15.3230220,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7128,7128,2025-09-11 06:08:15.5235212,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0xE9C,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xE9C""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
7129,7129,2025-09-11 06:08:15.8402661,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0xE9C,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xE9C""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
7130,7130,2025-09-11 06:08:15.8657276,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\VSSVC.exe,CallerProcessId: 0xE9C,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xE9C""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\VSSVC.exe""}]}}"
7131,7131,2025-09-11 06:08:33.2747630,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0xA24,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xA24""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7132,7132,2025-09-11 06:09:32.7493148,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7133,7133,2025-09-11 06:09:32.7493220,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7134,7134,2025-09-11 06:09:33.2976300,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7135,7135,2025-09-11 06:09:33.2976391,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7136,7136,2025-09-11 06:09:35.1582680,5058,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""708""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:09:33.9917974""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""UNKNOWN""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""KeyFilePath"",""#text"":""C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_2322cd04-2d2b-4dcf-acdb-b69abfa7ec6a""},{""@Name"":""Operation"",""#text"":""%%2458""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7137,7137,2025-09-11 06:09:35.1646041,5061,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2480""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7138,7138,2025-09-11 06:09:35.1734104,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""708""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:09:33.9917974""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7139,7139,2025-09-11 06:09:38.7395925,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7140,7140,2025-09-11 06:09:38.7396065,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7141,7141,2025-09-11 06:09:39.5554668,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7142,7142,2025-09-11 06:09:39.5554751,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7143,7143,2025-09-11 06:09:41.8183803,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7144,7144,2025-09-11 06:09:41.8183986,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7145,7145,2025-09-11 06:09:42.2005873,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0xD90,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0xD90""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7146,7146,2025-09-11 06:09:45.2186455,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7147,7147,2025-09-11 06:09:45.2186553,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7148,7148,2025-09-11 06:09:47.0501162,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7149,7149,2025-09-11 06:09:47.0501240,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7150,7150,2025-09-11 06:10:44.0517064,4616,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,3284,DESKTOP-139UKNF,20,,The system time was changed,NT AUTHORITY\LOCAL SERVICE (S-1-5-19),,PreviousTime: 2025-09-11 06:10:03.7021252,NewTime: 2025-09-11 06:10:44.0490873,LogonId: 0x3E5,,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""PreviousTime"",""#text"":""2025-09-11 06:10:03.7021252""},{""@Name"":""NewTime"",""#text"":""2025-09-11 06:10:44.0490873""},{""@Name"":""ProcessId"",""#text"":""0x3B8""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7151,7151,2025-09-11 06:10:44.0582653,4616,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,340,DESKTOP-139UKNF,20,,The system time was changed,NT AUTHORITY\LOCAL SERVICE (S-1-5-19),,PreviousTime: 2025-09-11 06:10:44.0503112,NewTime: 2025-09-11 06:10:44.0538836,LogonId: 0x3E5,,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""PreviousTime"",""#text"":""2025-09-11 06:10:44.0503112""},{""@Name"":""NewTime"",""#text"":""2025-09-11 06:10:44.0538836""},{""@Name"":""ProcessId"",""#text"":""0x3B8""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7152,7152,2025-09-11 06:10:48.2783947,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\LogonUI.exe,CallerProcessId: 0x3E4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x3E4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\LogonUI.exe""}]}}"
7153,7153,2025-09-11 06:10:48.2865852,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\LogonUI.exe,CallerProcessId: 0x3E4,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x3E4""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\LogonUI.exe""}]}}"
7154,7154,2025-09-11 06:10:48.5330541,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7155,7155,2025-09-11 06:10:48.5330612,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7156,7156,2025-09-11 06:10:49.9894296,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7157,7157,2025-09-11 06:10:49.9894388,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7158,7158,2025-09-11 06:11:01.3663144,5058,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""UNKNOWN""},{""@Name"":""KeyName"",""#text"":""{F19A6F74-207F-441A-9C11-4AD54872E03B}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""KeyFilePath"",""#text"":""C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\7c261574a6263d0921b30f6ac0379a18_2322cd04-2d2b-4dcf-acdb-b69abfa7ec6a""},{""@Name"":""Operation"",""#text"":""%%2458""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7159,7159,2025-09-11 06:11:01.3666959,5061,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{F19A6F74-207F-441A-9C11-4AD54872E03B}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2480""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7160,7160,2025-09-11 06:11:01.6873288,5058,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""UNKNOWN""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""KeyFilePath"",""#text"":""C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\8324eae8c63f88d6db1e10fdc510048d_2322cd04-2d2b-4dcf-acdb-b69abfa7ec6a""},{""@Name"":""Operation"",""#text"":""%%2458""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7161,7161,2025-09-11 06:11:01.6876867,5061,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2480""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7162,7162,2025-09-11 06:11:01.6878202,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7163,7163,2025-09-11 06:11:01.6901349,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7164,7164,2025-09-11 06:11:01.7021638,4625,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Failed logon,WORKGROUP\DESKTOP-139UKNF$,- (127.0.0.1),Target: -\-,LogonType 2,FailureReason1: the cause is either a bad username or authentication information,FailureReason2: Unknown code (0xC0000380),,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit failure,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-0-0""},{""@Name"":""TargetUserName"",""#text"":""-""},{""@Name"":""TargetDomainName"",""#text"":""-""},{""@Name"":""Status"",""#text"":""0xC000006D""},{""@Name"":""FailureReason"",""#text"":""%%2304""},{""@Name"":""SubStatus"",""#text"":""0xC0000380""},{""@Name"":""LogonType"",""#text"":""2""},{""@Name"":""LogonProcessName"",""#text"":""User32 ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x764""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
7165,7165,2025-09-11 06:11:06.5361032,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7166,7166,2025-09-11 06:11:06.6174048,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7167,7167,2025-09-11 06:11:07.2637999,4738,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A user account was changed,WORKGROUP\DESKTOP-139UKNF$,,Target: DESKTOP-139UKNF\resea,Changed Attribute SamAccountName: - DisplayName: %%1793 UserPrincipalName: - HomeDirectory: - HomePath: - ScriptPath: - ProfilePath: - UserWorkstations: - PasswordLastSet: - AccountExpires: - PrimaryGroupId: - AllowedToDelegateTo: - OldUacValue: - NewUacValue: - UserAccountControl: - UserParameters: - SidHistory: - LogonHours: -,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""Dummy"",""#text"":""-""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""-""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""-""},{""@Name"":""HomePath"",""#text"":""-""},{""@Name"":""ScriptPath"",""#text"":""-""},{""@Name"":""ProfilePath"",""#text"":""-""},{""@Name"":""UserWorkstations"",""#text"":""-""},{""@Name"":""PasswordLastSet"",""#text"":""-""},{""@Name"":""AccountExpires"",""#text"":""-""},{""@Name"":""PrimaryGroupId"",""#text"":""-""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""-""},{""@Name"":""NewUacValue"",""#text"":""-""},{""@Name"":""UserAccountControl"",""#text"":""-""},{""@Name"":""UserParameters"",""#text"":""-""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""-""}]}}"
7168,7168,2025-09-11 06:11:07.2853725,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,127.0.0.1:0,Target: MicrosoftAccount\researchaf@outlook.com,TargetServerName: localhost,PID: 0x764,TargetInfo: localhost,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x764""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""}]}}"
7169,7169,2025-09-11 06:11:07.2854479,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (127.0.0.1),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 11,LogonId: 0x147E76,AuthenticationPackageName: Negotiate,"LogonProcessName: User32 ",,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x147E76""},{""@Name"":""LogonType"",""#text"":""11""},{""@Name"":""LogonProcessName"",""#text"":""User32 ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x764""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x147EA9""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7170,7170,2025-09-11 06:11:07.2854785,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (127.0.0.1),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 11,LogonId: 0x147EA9,AuthenticationPackageName: Negotiate,"LogonProcessName: User32 ",,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x147EA9""},{""@Name"":""LogonType"",""#text"":""11""},{""@Name"":""LogonProcessName"",""#text"":""User32 ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x764""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""},{""@Name"":""IpAddress"",""#text"":""127.0.0.1""},{""@Name"":""IpPort"",""#text"":""0""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x147E76""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
7171,7171,2025-09-11 06:11:07.2854871,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,Administrative logon,MicrosoftAccount\researchaf@outlook.com (S-1-5-21-2679750263-731459410-1187419055-1001),,"PrivilegeList: SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x147E76,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""SubjectDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""SubjectLogonId"",""#text"":""0x147E76""},{""@Name"":""PrivilegeList"",""#text"":""SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7172,7172,2025-09-11 06:11:07.2925466,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7173,7173,2025-09-11 06:11:07.2930288,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""4324""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:10:48.6651087""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""RSA""},{""@Name"":""KeyName"",""#text"":""{6AE2769F-2135-41F9-9D92-194BA0C19A1D}""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7174,7174,2025-09-11 06:11:07.3526567,4738,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,4864,DESKTOP-139UKNF,20,,A user account was changed,WORKGROUP\DESKTOP-139UKNF$,,Target: DESKTOP-139UKNF\resea,Changed Attribute SamAccountName: - DisplayName: %%1793 UserPrincipalName: - HomeDirectory: - HomePath: - ScriptPath: - ProfilePath: - UserWorkstations: - PasswordLastSet: - AccountExpires: - PrimaryGroupId: - AllowedToDelegateTo: - OldUacValue: - NewUacValue: - UserAccountControl: - UserParameters: - SidHistory: - LogonHours: -,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""Dummy"",""#text"":""-""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""-""},{""@Name"":""SamAccountName"",""#text"":""-""},{""@Name"":""DisplayName"",""#text"":""%%1793""},{""@Name"":""UserPrincipalName"",""#text"":""-""},{""@Name"":""HomeDirectory"",""#text"":""-""},{""@Name"":""HomePath"",""#text"":""-""},{""@Name"":""ScriptPath"",""#text"":""-""},{""@Name"":""ProfilePath"",""#text"":""-""},{""@Name"":""UserWorkstations"",""#text"":""-""},{""@Name"":""PasswordLastSet"",""#text"":""-""},{""@Name"":""AccountExpires"",""#text"":""-""},{""@Name"":""PrimaryGroupId"",""#text"":""-""},{""@Name"":""AllowedToDelegateTo"",""#text"":""-""},{""@Name"":""OldUacValue"",""#text"":""-""},{""@Name"":""NewUacValue"",""#text"":""-""},{""@Name"":""UserAccountControl"",""#text"":""-""},{""@Name"":""UserParameters"",""#text"":""-""},{""@Name"":""SidHistory"",""#text"":""-""},{""@Name"":""LogonHours"",""#text"":""-""}]}}"
7175,7175,2025-09-11 06:11:07.3588593,4648,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,4864,DESKTOP-139UKNF,20,,A logon was attempted using explicit credentials,WORKGROUP\DESKTOP-139UKNF$,-:-,Target: MicrosoftAccount\researchaf@outlook.com,TargetServerName: localhost,PID: 0x290,TargetInfo: localhost,,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TargetServerName"",""#text"":""localhost""},{""@Name"":""TargetInfo"",""#text"":""localhost""},{""@Name"":""ProcessId"",""#text"":""0x290""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""}]}}"
7176,7176,2025-09-11 06:11:07.3588978,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,4864,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (-),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 7,LogonId: 0x148159,AuthenticationPackageName: Negotiate,LogonProcessName: Negotiat,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x148159""},{""@Name"":""LogonType"",""#text"":""7""},{""@Name"":""LogonProcessName"",""#text"":""Negotiat""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x290""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x14818F""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7177,7177,2025-09-11 06:11:07.3589157,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,4864,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,DESKTOP-139UKNF (-),Target: MicrosoftAccount\researchaf@outlook.com,LogonType 7,LogonId: 0x14818F,AuthenticationPackageName: Negotiate,LogonProcessName: Negotiat,,C:\Windows\System32\lsass.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""TargetDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""TargetLogonId"",""#text"":""0x14818F""},{""@Name"":""LogonType"",""#text"":""7""},{""@Name"":""LogonProcessName"",""#text"":""Negotiat""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x290""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\lsass.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x148159""},{""@Name"":""ElevatedToken"",""#text"":""%%1843""}]}}"
7178,7178,2025-09-11 06:11:07.3589214,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,4864,DESKTOP-139UKNF,20,,Administrative logon,MicrosoftAccount\researchaf@outlook.com (S-1-5-21-2679750263-731459410-1187419055-1001),,"PrivilegeList: SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x148159,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""researchaf@outlook.com""},{""@Name"":""SubjectDomainName"",""#text"":""MicrosoftAccount""},{""@Name"":""SubjectLogonId"",""#text"":""0x148159""},{""@Name"":""PrivilegeList"",""#text"":""SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7179,7179,2025-09-11 06:11:07.3596807,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 7,LogonId: 0x14818F,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x14818F""},{""@Name"":""LogonType"",""#text"":""7""}]}}"
7180,7180,2025-09-11 06:11:07.3600154,4634,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,An account was logged off,,,Target: DESKTOP-139UKNF\resea,LogonType 7,LogonId: 0x148159,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x148159""},{""@Name"":""LogonType"",""#text"":""7""}]}}"
7181,7181,2025-09-11 06:11:07.6201046,4799,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,20,,A security-enabled local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: Builtin\Administrators (S-1-5-32-544),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x5EC,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrators""},{""@Name"":""TargetDomainName"",""#text"":""Builtin""},{""@Name"":""TargetSid"",""#text"":""S-1-5-32-544""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x5EC""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7182,7182,2025-09-11 06:11:07.7770713,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=02rrbglgrdhrehhq;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=02rrbglgrdhrehhq;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7183,7183,2025-09-11 06:11:07.7780950,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=02rrbglgrdhrehhq;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=02rrbglgrdhrehhq;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7184,7184,2025-09-11 06:11:07.7891263,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:target=virtualapp/didlogical,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:target=virtualapp/didlogical""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7185,7185,2025-09-11 06:11:07.8362815,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7186,7186,2025-09-11 06:11:07.8422519,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7187,7187,2025-09-11 06:11:07.8423307,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,20,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7188,7188,2025-09-11 06:11:08.7915800,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7189,7189,2025-09-11 06:11:08.7915889,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,20,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7190,7190,2025-09-11 06:11:09.7704820,5058,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""ClientProcessId"",""#text"":""5052""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:11:08.1494903""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""UNKNOWN""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""KeyFilePath"",""#text"":""C:\\Users\\resea\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_2322cd04-2d2b-4dcf-acdb-b69abfa7ec6a""},{""@Name"":""Operation"",""#text"":""%%2458""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7191,7191,2025-09-11 06:11:09.7710064,5061,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2480""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7192,7192,2025-09-11 06:11:09.7714453,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""ClientProcessId"",""#text"":""5052""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:11:08.1494903""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""Microsoft Connected Devices Platform device certificate""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7193,7193,2025-09-11 06:11:09.9520168,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7194,7194,2025-09-11 06:11:09.9538158,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7195,7195,2025-09-11 06:11:09.9538817,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7196,7196,2025-09-11 06:11:09.9695057,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7197,7197,2025-09-11 06:11:09.9794020,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7198,7198,2025-09-11 06:11:10.8478196,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7199,7199,2025-09-11 06:11:10.8478276,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7200,7200,2025-09-11 06:11:11.1216610,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7201,7201,2025-09-11 06:11:11.7823367,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7202,7202,2025-09-11 06:11:11.7926930,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7203,7203,2025-09-11 06:11:11.7928010,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7204,7204,2025-09-11 06:11:11.8106166,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7205,7205,2025-09-11 06:11:17.1403420,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7206,7206,2025-09-11 06:11:17.1429819,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7207,7207,2025-09-11 06:11:17.1430598,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7208,7208,2025-09-11 06:11:17.2239175,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7209,7209,2025-09-11 06:11:17.8160319,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7210,7210,2025-09-11 06:11:17.8187932,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7211,7211,2025-09-11 06:11:17.8190566,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7212,7212,2025-09-11 06:11:17.8284191,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7213,7213,2025-09-11 06:11:18.7084283,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7214,7214,2025-09-11 06:11:18.7141041,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7215,7215,2025-09-11 06:11:18.7141928,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7216,7216,2025-09-11 06:11:18.7150427,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7217,7217,2025-09-11 06:11:18.7173068,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7218,7218,2025-09-11 06:11:18.7173845,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7219,7219,2025-09-11 06:11:18.7228876,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7220,7220,2025-09-11 06:11:18.7253805,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7221,7221,2025-09-11 06:11:28.0014611,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7222,7222,2025-09-11 06:11:28.0031455,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,576,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7223,7223,2025-09-11 06:11:28.0032146,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7224,7224,2025-09-11 06:11:28.0092503,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7225,7225,2025-09-11 06:11:28.0528721,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7226,7226,2025-09-11 06:11:28.0540918,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7227,7227,2025-09-11 06:11:28.0541414,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7228,7228,2025-09-11 06:11:28.0726472,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7229,7229,2025-09-11 06:11:28.3670682,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7230,7230,2025-09-11 06:11:28.3684053,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7231,7231,2025-09-11 06:11:28.3684760,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7232,7232,2025-09-11 06:11:28.3695059,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7233,7233,2025-09-11 06:11:34.5754143,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7234,7234,2025-09-11 06:11:34.5814454,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7235,7235,2025-09-11 06:11:34.5818169,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7236,7236,2025-09-11 06:11:34.5854696,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7237,7237,2025-09-11 06:11:35.8671380,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7238,7238,2025-09-11 06:11:35.8671577,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,21,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7239,7239,2025-09-11 06:11:58.8552442,5058,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""708""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:09:33.9917974""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""UNKNOWN""},{""@Name"":""KeyName"",""#text"":""ff974828ab14d69c""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""KeyFilePath"",""#text"":""C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\d9f6a57b9a8d45b569698c1f53b85ce4_2322cd04-2d2b-4dcf-acdb-b69abfa7ec6a""},{""@Name"":""Operation"",""#text"":""%%2458""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7240,7240,2025-09-11 06:11:58.8572484,5061,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""ff974828ab14d69c""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2480""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7241,7241,2025-09-11 06:11:58.8614575,5059,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""ClientProcessId"",""#text"":""708""},{""@Name"":""ClientCreationTime"",""#text"":""2025-09-11 06:09:33.9917974""},{""@Name"":""ProviderName"",""#text"":""Microsoft Software Key Storage Provider""},{""@Name"":""AlgorithmName"",""#text"":""ECDSA_P256""},{""@Name"":""KeyName"",""#text"":""ff974828ab14d69c""},{""@Name"":""KeyType"",""#text"":""%%2500""},{""@Name"":""Operation"",""#text"":""%%2464""},{""@Name"":""ReturnCode"",""#text"":""0x0""}]}}"
7242,7242,2025-09-11 06:12:01.5236942,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7243,7243,2025-09-11 06:12:01.7651789,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7244,7244,2025-09-11 06:12:01.7656285,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7245,7245,2025-09-11 06:12:02.2461650,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7246,7246,2025-09-11 06:12:02.3124618,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7247,7247,2025-09-11 06:12:02.3146627,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7248,7248,2025-09-11 06:12:02.3148435,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7249,7249,2025-09-11 06:12:02.3169164,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7250,7250,2025-09-11 06:12:03.0823262,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7251,7251,2025-09-11 06:12:03.0930723,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7252,7252,2025-09-11 06:12:03.0937394,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7253,7253,2025-09-11 06:12:03.1871708,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7254,7254,2025-09-11 06:12:03.6580929,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7255,7255,2025-09-11 06:12:03.6645733,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7256,7256,2025-09-11 06:12:03.6649004,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7257,7257,2025-09-11 06:12:03.8291252,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7258,7258,2025-09-11 06:12:05.6962051,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7259,7259,2025-09-11 06:12:05.7051985,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7260,7260,2025-09-11 06:12:05.7058183,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7261,7261,2025-09-11 06:12:05.9523977,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7262,7262,2025-09-11 06:12:06.1670018,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7263,7263,2025-09-11 06:12:06.1737914,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7264,7264,2025-09-11 06:12:06.1751789,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7265,7265,2025-09-11 06:12:06.2354646,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7266,7266,2025-09-11 06:12:06.2407138,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7267,7267,2025-09-11 06:12:06.2425489,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7268,7268,2025-09-11 06:12:06.3674887,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,544,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7269,7269,2025-09-11 06:12:06.4724361,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7270,7270,2025-09-11 06:12:07.0676942,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7271,7271,2025-09-11 06:12:07.0705334,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7272,7272,2025-09-11 06:12:07.0706960,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7273,7273,2025-09-11 06:12:07.0824127,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7274,7274,2025-09-11 06:12:07.1700025,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7275,7275,2025-09-11 06:12:07.1730044,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7276,7276,2025-09-11 06:12:07.1731856,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7277,7277,2025-09-11 06:12:07.1757773,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7278,7278,2025-09-11 06:12:07.4452876,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7279,7279,2025-09-11 06:12:07.4519591,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7280,7280,2025-09-11 06:12:07.4521766,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7281,7281,2025-09-11 06:12:07.4624257,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7282,7282,2025-09-11 06:12:08.3537307,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7283,7283,2025-09-11 06:12:08.3618857,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7284,7284,2025-09-11 06:12:08.3645974,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7285,7285,2025-09-11 06:12:08.3763415,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7286,7286,2025-09-11 06:12:09.0448523,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7287,7287,2025-09-11 06:12:09.0903084,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7288,7288,2025-09-11 06:12:09.0905685,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7289,7289,2025-09-11 06:12:09.2909693,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,752,DESKTOP-139UKNF,21,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7290,7290,2025-09-11 06:12:09.4646597,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7291,7291,2025-09-11 06:12:09.4646829,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7292,7292,2025-09-11 06:12:17.1546373,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7293,7293,2025-09-11 06:12:17.1574914,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7294,7294,2025-09-11 06:12:17.1580168,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7295,7295,2025-09-11 06:12:17.1900465,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7296,7296,2025-09-11 06:12:17.4474664,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7297,7297,2025-09-11 06:12:17.4506119,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7298,7298,2025-09-11 06:12:17.4507619,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7299,7299,2025-09-11 06:12:17.4520991,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7300,7300,2025-09-11 06:12:17.5003254,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7301,7301,2025-09-11 06:12:17.5020996,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7302,7302,2025-09-11 06:12:17.5022745,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7303,7303,2025-09-11 06:12:17.5905059,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7304,7304,2025-09-11 06:12:17.5948715,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7305,7305,2025-09-11 06:12:17.5985729,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7306,7306,2025-09-11 06:12:17.5987240,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7307,7307,2025-09-11 06:12:17.6029808,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7308,7308,2025-09-11 06:12:17.6054731,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7309,7309,2025-09-11 06:12:17.6056008,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7310,7310,2025-09-11 06:12:17.6573124,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7311,7311,2025-09-11 06:12:17.6655867,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7312,7312,2025-09-11 06:12:17.6662082,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7313,7313,2025-09-11 06:12:17.6717764,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7314,7314,2025-09-11 06:12:17.6745653,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7315,7315,2025-09-11 06:12:17.6760590,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7316,7316,2025-09-11 06:12:17.6802018,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7317,7317,2025-09-11 06:12:17.6803308,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7318,7318,2025-09-11 06:12:17.8877416,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7319,7319,2025-09-11 06:12:17.9981530,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7320,7320,2025-09-11 06:12:18.9396649,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7321,7321,2025-09-11 06:12:18.9414910,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7322,7322,2025-09-11 06:12:18.9416374,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7323,7323,2025-09-11 06:12:19.0342065,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7324,7324,2025-09-11 06:12:20.6140757,5382,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""SchemaFriendlyName"",""#text"":""NGC Local Accoount Logon Vault Resource Schema""},{""@Name"":""Schema"",""#text"":""1d4350a3-330d-4af9-b3ff-a927a45998ac""},{""@Name"":""Resource"",""#text"":""NGC Local Accoount Logon Vault Resource""},{""@Name"":""Identity"",""#text"":""01050000000000051500000077BEB99F522F992BAF93C646E9030000""},{""@Name"":""PackageSid""},{""@Name"":""Flags"",""#text"":""0""},{""@Name"":""ReturnCode"",""#text"":""1168""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:10:48.5342155""},{""@Name"":""ClientProcessId"",""#text"":""4296""}]}}"
7325,7325,2025-09-11 06:12:24.1231301,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7326,7326,2025-09-11 06:12:24.1338610,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7327,7327,2025-09-11 06:12:24.1340113,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7328,7328,2025-09-11 06:12:24.2319556,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7329,7329,2025-09-11 06:12:24.6345100,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7330,7330,2025-09-11 06:12:24.6380494,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7331,7331,2025-09-11 06:12:24.6381898,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7332,7332,2025-09-11 06:12:24.6895785,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7333,7333,2025-09-11 06:12:28.9937708,4624,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Successful logon,WORKGROUP\DESKTOP-139UKNF$,- (-),Target: NT AUTHORITY\SYSTEM,LogonType 5,LogonId: 0x3E7,AuthenticationPackageName: Negotiate,"LogonProcessName: Advapi  ",,C:\Windows\System32\services.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""TargetUserSid"",""#text"":""S-1-5-18""},{""@Name"":""TargetUserName"",""#text"":""SYSTEM""},{""@Name"":""TargetDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""TargetLogonId"",""#text"":""0x3E7""},{""@Name"":""LogonType"",""#text"":""5""},{""@Name"":""LogonProcessName"",""#text"":""Advapi  ""},{""@Name"":""AuthenticationPackageName"",""#text"":""Negotiate""},{""@Name"":""WorkstationName"",""#text"":""-""},{""@Name"":""LogonGuid"",""#text"":""00000000-0000-0000-0000-000000000000""},{""@Name"":""TransmittedServices"",""#text"":""-""},{""@Name"":""LmPackageName"",""#text"":""-""},{""@Name"":""KeyLength"",""#text"":""0""},{""@Name"":""ProcessId"",""#text"":""0x27C""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\services.exe""},{""@Name"":""IpAddress"",""#text"":""-""},{""@Name"":""IpPort"",""#text"":""-""},{""@Name"":""ImpersonationLevel"",""#text"":""%%1833""},{""@Name"":""RestrictedAdminMode"",""#text"":""-""},{""@Name"":""TargetOutboundUserName"",""#text"":""-""},{""@Name"":""TargetOutboundDomainName"",""#text"":""-""},{""@Name"":""VirtualAccount"",""#text"":""%%1843""},{""@Name"":""TargetLinkedLogonId"",""#text"":""0x0""},{""@Name"":""ElevatedToken"",""#text"":""%%1842""}]}}"
7334,7334,2025-09-11 06:12:28.9937831,4672,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Administrative logon,NT AUTHORITY\SYSTEM (S-1-5-18),,"PrivilegeList: SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege",LogonId: 0x3E7,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""SYSTEM""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""PrivilegeList"",""#text"":""SeAssignPrimaryTokenPrivilege, SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeDelegateSessionUserImpersonatePrivilege""}]}}"
7335,7335,2025-09-11 06:12:29.7840934,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7336,7336,2025-09-11 06:12:29.7895896,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7337,7337,2025-09-11 06:12:29.7897968,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7338,7338,2025-09-11 06:12:29.7922379,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,704,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7339,7339,2025-09-11 06:12:34.4033334,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7340,7340,2025-09-11 06:12:34.4055654,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7341,7341,2025-09-11 06:12:34.4057059,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7342,7342,2025-09-11 06:12:34.4075722,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7343,7343,2025-09-11 06:12:43.1405298,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7344,7344,2025-09-11 06:12:43.1431229,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7345,7345,2025-09-11 06:12:43.1432669,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7346,7346,2025-09-11 06:12:43.1515851,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7347,7347,2025-09-11 06:12:43.1949495,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7348,7348,2025-09-11 06:12:43.1998917,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7349,7349,2025-09-11 06:12:43.2000434,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7350,7350,2025-09-11 06:12:43.2034194,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7351,7351,2025-09-11 06:13:05.4541279,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7352,7352,2025-09-11 06:13:05.4586498,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(token):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7353,7353,2025-09-11 06:13:05.4591815,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 0,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""WindowsLive:(cert):name=researchaf@outlook.com;serviceuri=*""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""0""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""3221226021""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7354,7354,2025-09-11 06:13:05.4609651,5379,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,Credential Manager credentials were read,resea,,SID: S-1-5-21-2679750263-731459410-1187419055-1001,Domain: DESKTOP-139UKNF,LogonID: 0x147EA9,CountOfCredentialsReturned: 1,,ActivityID: 55248d5c-22e2-0000-f78d-2455e222dc01,MicrosoftAccount:user=researchaf@outlook.com,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserName"",""#text"":""resea""},{""@Name"":""SubjectDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""SubjectLogonId"",""#text"":""0x147EA9""},{""@Name"":""TargetName"",""#text"":""MicrosoftAccount:user=researchaf@outlook.com""},{""@Name"":""Type"",""#text"":""0""},{""@Name"":""CountOfCredentialsReturned"",""#text"":""1""},{""@Name"":""ReadOperation"",""#text"":""%%8100""},{""@Name"":""ReturnCode"",""#text"":""0""},{""@Name"":""ProcessCreationTime"",""#text"":""2025-09-11 06:07:47.7365765""},{""@Name"":""ClientProcessId"",""#text"":""3296""}]}}"
7355,7355,2025-09-11 06:13:07.7814359,4647,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,688,DESKTOP-139UKNF,22,,User initiated logoff,Target: DESKTOP-139UKNF\resea,,,,LogonId: 0x147EA9,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetLogonId"",""#text"":""0x147EA9""}]}}"
7356,7356,2025-09-11 06:13:08.1761294,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Administrator (S-1-5-21-2679750263-731459410-1187419055-500),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Administrator""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-500""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7357,7357,2025-09-11 06:13:08.1763877,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\AF107User (S-1-5-21-2679750263-731459410-1187419055-1002),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""AF107User""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1002""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7358,7358,2025-09-11 06:13:08.1765895,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\DefaultAccount (S-1-5-21-2679750263-731459410-1187419055-503),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""DefaultAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-503""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7359,7359,2025-09-11 06:13:08.1767715,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\Guest (S-1-5-21-2679750263-731459410-1187419055-501),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""Guest""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-501""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7360,7360,2025-09-11 06:13:08.1769766,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\resea (S-1-5-21-2679750263-731459410-1187419055-1001),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""resea""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-1001""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7361,7361,2025-09-11 06:13:08.1771673,4798,LogAlways,Microsoft-Windows-Security-Auditing,Security,656,700,DESKTOP-139UKNF,22,,A user's local group membership was enumerated,WORKGROUP\DESKTOP-139UKNF$ (S-1-5-18),,Target: DESKTOP-139UKNF\WDAGUtilityAccount (S-1-5-21-2679750263-731459410-1187419055-504),SubjectLogonId: 0x3E7,CallerProcessName: C:\Windows\System32\svchost.exe,CallerProcessId: 0x764,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""TargetUserName"",""#text"":""WDAGUtilityAccount""},{""@Name"":""TargetDomainName"",""#text"":""DESKTOP-139UKNF""},{""@Name"":""TargetSid"",""#text"":""S-1-5-21-2679750263-731459410-1187419055-504""},{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-18""},{""@Name"":""SubjectUserName"",""#text"":""DESKTOP-139UKNF$""},{""@Name"":""SubjectDomainName"",""#text"":""WORKGROUP""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E7""},{""@Name"":""CallerProcessId"",""#text"":""0x764""},{""@Name"":""CallerProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"
7362,7362,2025-09-11 06:13:09.7817288,1100,Info,Microsoft-Windows-Eventlog,Security,1056,2372,DESKTOP-139UKNF,22,,The event logging service has shut down,,,,,,,,,,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,0x4020000000000000,0,"{""UserData"":{""ServiceShutdown"":""""}}"
7363,7363,2025-09-11 06:13:09.7006102,4616,LogAlways,Microsoft-Windows-Security-Auditing,Security,4,32,DESKTOP-139UKNF,22,,The system time was changed,NT AUTHORITY\LOCAL SERVICE (S-1-5-19),,PreviousTime: 2025-09-11 06:13:09.6899956,NewTime: 2025-09-11 06:13:09.6993739,LogonId: 0x3E5,,,,C:\Windows\System32\svchost.exe,False,C:\Users\QuelP\Documents\Research\CASES\case 7\Export\Security.evtx,Audit success,0,"{""EventData"":{""Data"":[{""@Name"":""SubjectUserSid"",""#text"":""S-1-5-19""},{""@Name"":""SubjectUserName"",""#text"":""LOCAL SERVICE""},{""@Name"":""SubjectDomainName"",""#text"":""NT AUTHORITY""},{""@Name"":""SubjectLogonId"",""#text"":""0x3E5""},{""@Name"":""PreviousTime"",""#text"":""2025-09-11 06:13:09.6899956""},{""@Name"":""NewTime"",""#text"":""2025-09-11 06:13:09.6993739""},{""@Name"":""ProcessId"",""#text"":""0x3B8""},{""@Name"":""ProcessName"",""#text"":""C:\\Windows\\System32\\svchost.exe""}]}}"