Yeah, I already reinstalled the OS with deleting all the files, while the hacking continues.
i think the hacker accesses to the 1-5-21-1024--blah blah SID account by hijacking my IP address and he took the system account authority of my PC.
It is non-sense that the hacker came from a random attack because nor did I not access to the suspicious site or downloads, neither didn't change my IP after reinstalling the OS. It might be reasonable to think the hacker is NT authority account itself.
I found that these anonymous log-in attempts are related to <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> and <Correlation ActivityID="{6586b4ce-dfda-0000-4ab5-8665dadfd801}"
<EventData>
<EventID>4625</EventID>
<Keywords>0x8010000000000000</Keywords>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">AZUREADMIN</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">40.117.130.218</Data>
<Data Name="IpPort">0</Data>
</EventData>
Will these event viewer actions might be helpful for recovering the system?