From f87873afda0fc8f8a6644b072505a2d0d19771f7 Mon Sep 17 00:00:00 2001
From: pex7hfbnt <1584881064@qq.com>
Date: Wed, 16 Oct 2024 23:39:58 +0800
Subject: [PATCH] ADD file via upload

---
 source/samples/Sample_Logon_Events.csv | 13814 +++++++++++++++++++++++
 1 file changed, 13814 insertions(+)
 create mode 100644 source/samples/Sample_Logon_Events.csv

diff --git a/source/samples/Sample_Logon_Events.csv b/source/samples/Sample_Logon_Events.csv
new file mode 100644
index 0000000..b0b9d60
--- /dev/null
+++ b/source/samples/Sample_Logon_Events.csv
@@ -0,0 +1,13814 @@
+Date and Time,timestamp,Event ID,Account Name,Account Domain,Logon Type,Logon Process,Source IP,Workstation Name,Computer Name,Channel,Original Event Log
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:58:04.842263Z"">
+    </TimeCreated>
+    <EventRecordID>2982101</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x73b44c</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">E8C9AC4A-31FC-C37F-B4D7-B3217C608858</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64849</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.497329Z"">
+    </TimeCreated>
+    <EventRecordID>2982097</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2456"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738cf9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50616</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.372001Z"">
+    </TimeCreated>
+    <EventRecordID>2982092</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738ce4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50614</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.325837Z"">
+    </TimeCreated>
+    <EventRecordID>2982089</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738afd</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50613</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.278193Z"">
+    </TimeCreated>
+    <EventRecordID>2982084</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x738ae4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">DCED4BA6-CF24-37EF-0627-B0E4EED7F565</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50609</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.263194Z"">
+    </TimeCreated>
+    <EventRecordID>2171296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2504"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aadb8</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62863</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.252932Z"">
+    </TimeCreated>
+    <EventRecordID>2171295</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2512"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aad4a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62862</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:49.966623Z"">
+    </TimeCreated>
+    <EventRecordID>2171294</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aa47f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">27FCE179-F80F-F6A6-7DF4-C247E783B072</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62860</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.842119Z"">
+    </TimeCreated>
+    <EventRecordID>2171292</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c9a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.823276Z"">
+    </TimeCreated>
+    <EventRecordID>2171291</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c80</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60728</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.570502Z"">
+    </TimeCreated>
+    <EventRecordID>2171290</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x21a8c68</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18206</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""492"" ThreadID=""564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x1371b</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">IEWIN7</Data>
+    <Data Name=""TargetLogonId"">0x1bbdce</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-03-18T15:06:29.911579+04:00,1552907189.911579,4624,user01,EXAMPLE,9,seclogo,::1,,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:29.911579Z"">
+    </TimeCreated>
+    <EventRecordID>432903</EventRecordID>
+    <Correlation ActivityID=""661F2D37-D535-43F5-BAE0-06BE7E6614D7"">
+    </Correlation>
+    <Execution ProcessID=""524"" ThreadID=""2884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x18a7875</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x4530f0f</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3ec</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:16:19.989944Z"">
+    </TimeCreated>
+    <EventRecordID>563342</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x116c7b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">55589</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:16:09.458302+04:00,1552947369.458302,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.692401Z"">
+    </TimeCreated>
+    <EventRecordID>563300</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x110085</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">31E347DC-FF67-08B3-EADC-1EC267B1975B</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.676748+04:00,1552947349.676748,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,PC01,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.614293Z"">
+    </TimeCreated>
+    <EventRecordID>563297</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fc09</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.614293+04:00,1552947349.614293,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.614293Z"">
+    </TimeCreated>
+    <EventRecordID>563294</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fbeb</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">BAEC19DA-130D-80F0-BD26-78045EE64D62</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.598756+04:00,1552947349.598756,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.583102Z"">
+    </TimeCreated>
+    <EventRecordID>563285</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fbcc</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">BAEC19DA-130D-80F0-BD26-78045EE64D62</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49244</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.567435+04:00,1552947349.567435,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:36.036376Z"">
+    </TimeCreated>
+    <EventRecordID>563265</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fac2</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55585</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:58:04.842263Z"">
+    </TimeCreated>
+    <EventRecordID>2982101</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x73b44c</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">E8C9AC4A-31FC-C37F-B4D7-B3217C608858</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64849</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.497329Z"">
+    </TimeCreated>
+    <EventRecordID>2982097</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2456"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738cf9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50616</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.372001Z"">
+    </TimeCreated>
+    <EventRecordID>2982092</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738ce4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50614</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.325837Z"">
+    </TimeCreated>
+    <EventRecordID>2982089</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738afd</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50613</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.278193Z"">
+    </TimeCreated>
+    <EventRecordID>2982084</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x738ae4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">DCED4BA6-CF24-37EF-0627-B0E4EED7F565</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50609</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:21.929554Z"">
+    </TimeCreated>
+    <EventRecordID>566894</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x18423d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">56034</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:21.929554+04:00,1552953741.929554,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:21.460919Z"">
+    </TimeCreated>
+    <EventRecordID>566889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x184212</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">56033</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.319945+04:00,1552953724.319945,4624,Administrator,EXAMPLE,3,NtLmSsp,-,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.257778Z"">
+    </TimeCreated>
+    <EventRecordID>566835</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2d2</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.241919+04:00,1552953724.241919,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.226251Z"">
+    </TimeCreated>
+    <EventRecordID>566830</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2c0</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49237</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.226251+04:00,1552953724.226251,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.210688Z"">
+    </TimeCreated>
+    <EventRecordID>566826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2aa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49236</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.210688+04:00,1552953724.210688,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,NULL,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.179623Z"">
+    </TimeCreated>
+    <EventRecordID>566823</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x17e29a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">NULL</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49236</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:31:31.556812Z"">
+    </TimeCreated>
+    <EventRecordID>5323</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x7d4f4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49169</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:31:19.529518Z"">
+    </TimeCreated>
+    <EventRecordID>5322</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x73d02</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49168</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:29:41.418441+04:00,1550071781.418441,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:29:40.657347Z"">
+    </TimeCreated>
+    <EventRecordID>5319</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x4a26d</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x994</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:27:53.653483+04:00,1550071673.653483,4624,IEUser,PC02,10,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:26:53.356780Z"">
+    </TimeCreated>
+    <EventRecordID>5315</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x45120</Data>
+    <Data Name=""LogonType"">10</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x658</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">49164</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:25:17.799376+04:00,1550071517.799376,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:19:51.259835Z"">
+    </TimeCreated>
+    <EventRecordID>5308</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x21f73</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x198</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:19:51.259835+04:00,1550071191.259835,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:17:38.779337Z"">
+    </TimeCreated>
+    <EventRecordID>5305</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:17:38.779337+04:00,1550071058.779337,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:17:38.018243Z"">
+    </TimeCreated>
+    <EventRecordID>5303</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:17:38.018243+04:00,1550071058.018243,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:36.367608Z"">
+    </TimeCreated>
+    <EventRecordID>5302</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""876"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x113f5</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:08.821952+04:00,1550070908.821952,4624,sshd_server,PC02,5,Advapi,-,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:08.689762Z"">
+    </TimeCreated>
+    <EventRecordID>5299</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1002</Data>
+    <Data Name=""TargetUserName"">sshd_server</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0xe509</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:08.689762+04:00,1550070908.689762,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:08.216083Z"">
+    </TimeCreated>
+    <EventRecordID>5296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:07.852561+04:00,1550070907.852561,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:07.422945Z"">
+    </TimeCreated>
+    <EventRecordID>5293</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:07.422945+04:00,1550070907.422945,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.924796Z"">
+    </TimeCreated>
+    <EventRecordID>5291</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.924796+04:00,1550070905.924796,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.660417Z"">
+    </TimeCreated>
+    <EventRecordID>5289</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.660417+04:00,1550070905.660417,4624,LOCAL SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.065564Z"">
+    </TimeCreated>
+    <EventRecordID>5287</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.065564+04:00,1550070905.065564,4624,NETWORK SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.911343Z"">
+    </TimeCreated>
+    <EventRecordID>5285</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-20</Data>
+    <Data Name=""TargetUserName"">NETWORK SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e4</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.911343+04:00,1550070904.911343,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.635947Z"">
+    </TimeCreated>
+    <EventRecordID>5283</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.635947+04:00,1550070904.635947,4624,SYSTEM,NT AUTHORITY,0,-,-,-,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.175284Z"">
+    </TimeCreated>
+    <EventRecordID>5281</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""484"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">0</Data>
+    <Data Name=""LogonProcessName"">-</Data>
+    <Data Name=""AuthenticationPackageName"">-</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x4</Data>
+    <Data Name=""ProcessName""></Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.135227+04:00,1550070904.135227,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:14:52.409734Z"">
+    </TimeCreated>
+    <EventRecordID>5278</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""1716"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:57.397648+04:00,1552951437.397648,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:57.397648Z"">
+    </TimeCreated>
+    <EventRecordID>565611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3116"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e25f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">1054A084-EFFD-F992-9C74-63873C88272E</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55873</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:52.507387+04:00,1552951432.507387,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:52.491923Z"">
+    </TimeCreated>
+    <EventRecordID>565599</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""1208"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e1a7</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">14CCCD18-A781-AC28-C773-EA57D49F4B90</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49222</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:51.772355+04:00,1552951431.772355,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:43.570212Z"">
+    </TimeCreated>
+    <EventRecordID>565596</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e162</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55872</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:24:20.960030Z"">
+    </TimeCreated>
+    <EventRecordID>565653</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x16792b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">55878</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,3,Advapi,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T18:04:39.987123Z"">
+    </TimeCreated>
+    <EventRecordID>161473</EventRecordID>
+    <Correlation ActivityID=""C5412E82-8BC5-0000-0A2F-41C5C58BD601"">
+    </Correlation>
+    <Execution ProcessID=""644"" ThreadID=""5436"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1009</Data>
+    <Data Name=""SubjectUserName"">svc01</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x10b6b3</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x22afa1</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x140c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18206</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""492"" ThreadID=""564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x1371b</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">IEWIN7</Data>
+    <Data Name=""TargetLogonId"">0x1bbdce</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:58.363696+04:00,1550081098.363696,4624,admin01,EXAMPLE,10,User32,127.0.0.1,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:58.363696Z"">
+    </TimeCreated>
+    <EventRecordID>227762</EventRecordID>
+    <Correlation ActivityID=""94862AEA-0C0C-4B98-88B1-A269075A77E2"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x14a321</Data>
+    <Data Name=""LogonType"">10</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">AF83A89C-C68A-5397-5AC6-24A0C4D2BAF6</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x4b8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">49274</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.462400+04:00,1550081097.4624,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.442372Z"">
+    </TimeCreated>
+    <EventRecordID>227747</EventRecordID>
+    <Correlation ActivityID=""FF684E42-4C42-4957-A95F-F8957CF3A4B8"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x148f5d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:45.905783+04:00,1550081085.905783,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:43.171852Z"">
+    </TimeCreated>
+    <EventRecordID>227740</EventRecordID>
+    <Correlation ActivityID=""44F141EB-B63A-462B-9DEE-3998C9913055"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x14871d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:02:05.418087+04:00,1550080925.418087,4624,user01,EXAMPLE,7,Negotiat,-,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:02:04.526806Z"">
+    </TimeCreated>
+    <EventRecordID>227708</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3420"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x1414d9</Data>
+    <Data Name=""LogonType"">7</Data>
+    <Data Name=""LogonProcessName"">Negotiat</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">42DAF7A9-F185-F292-0EBD-B86A26624D31</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x208</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:02:04.436676+04:00,1550080924.436676,4624,user01,EXAMPLE,11,User32,127.0.0.1,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:02:04.426662Z"">
+    </TimeCreated>
+    <EventRecordID>227701</EventRecordID>
+    <Correlation ActivityID=""AD38FF07-BC05-4620-A79A-51E18F454768"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""1920"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x1414c8</Data>
+    <Data Name=""LogonType"">11</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x704</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.263194Z"">
+    </TimeCreated>
+    <EventRecordID>2171296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2504"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aadb8</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62863</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.252932Z"">
+    </TimeCreated>
+    <EventRecordID>2171295</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2512"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aad4a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62862</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:49.966623Z"">
+    </TimeCreated>
+    <EventRecordID>2171294</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aa47f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">27FCE179-F80F-F6A6-7DF4-C247E783B072</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62860</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.842119Z"">
+    </TimeCreated>
+    <EventRecordID>2171292</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c9a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.823276Z"">
+    </TimeCreated>
+    <EventRecordID>2171291</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c80</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60728</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.570502Z"">
+    </TimeCreated>
+    <EventRecordID>2171290</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x21a8c68</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"