11/10/2021 12:31:30 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=141 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration deleted OpCode=Info RecordNumber=14141 Keywords=None Message=User "ATTACKRANGE\Administrator" deleted Task Scheduler task "\spawn" 11/10/2021 12:31:30 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=141 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration deleted OpCode=Info RecordNumber=14140 Keywords=None Message=User "ATTACKRANGE\Administrator" deleted Task Scheduler task "\T1053_005_OnStartup" 11/10/2021 12:31:30 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=141 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration deleted OpCode=Info RecordNumber=14139 Keywords=None Message=User "ATTACKRANGE\Administrator" deleted Task Scheduler task "\T1053_005_OnLogon" 11/10/2021 12:31:32 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=141 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration deleted OpCode=Info RecordNumber=14142 Keywords=None Message=User "ATTACKRANGE\Administrator" deleted Task Scheduler task "\AtomicTask" 11/10/2021 12:31:33 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=141 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration deleted OpCode=Info RecordNumber=14143 Keywords=None Message=User "ATTACKRANGE\Administrator" deleted Task Scheduler task "\T1053_005_WMI" 11/10/2021 12:31:36 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=106 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registered OpCode=Info RecordNumber=14145 Keywords=None Message=User "S-1-5-18" registered Task Scheduler task "\T1053_005_OnStartup" 11/10/2021 12:31:36 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=106 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registered OpCode=Info RecordNumber=14144 Keywords=None Message=User "ATTACKRANGE\administrator" registered Task Scheduler task "\T1053_005_OnLogon" 11/10/2021 12:31:37 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=106 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registered OpCode=Info RecordNumber=14147 Keywords=None Message=User "ATTACKRANGE\administrator" registered Task Scheduler task "\AtomicTask" 11/10/2021 12:31:37 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=106 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registered OpCode=Info RecordNumber=14146 Keywords=None Message=User "ATTACKRANGE\administrator" registered Task Scheduler task "\spawn" 11/10/2021 12:31:41 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=108 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered on event OpCode=Info RecordNumber=14149 Keywords=None Message=Task Scheduler launched "{00000000-0000-0000-0000-000000000000}" instance of task "\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents" according to an event trigger. 11/10/2021 12:31:41 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=140 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration updated OpCode=Info RecordNumber=14148 Keywords=None Message=User "ATTACKRANGE\administrator" updated Task Scheduler task "\Run Notepad" 11/10/2021 12:31:42 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=140 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registration updated OpCode=Info RecordNumber=14151 Keywords=None Message=User "ATTACKRANGE\administrator" updated Task Scheduler task "\T1053_005_WMI" 11/10/2021 12:31:42 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=106 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task registered OpCode=Info RecordNumber=14150 Keywords=None Message=User "ATTACKRANGE\administrator" registered Task Scheduler task "\T1053_005_WMI" 11/10/2021 12:31:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14155 Keywords=None Message=Task Scheduler launched action "C:\Windows\System32\notepad.exe" in instance "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" of task "\Run Notepad". 11/10/2021 12:31:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14154 Keywords=None Message=Task Scheduler started "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:31:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14153 Keywords=None Message=Task Scheduler launch task "\Run Notepad" , instance "C:\Windows\System32\notepad.exe" with process ID 3056. 11/10/2021 12:31:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=107 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered on scheduler OpCode=Info RecordNumber=14152 Keywords=None Message=Task Scheduler launched "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" instance of task "\Run Notepad" due to a time trigger condition. 11/10/2021 12:33:48 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14159 Keywords=None Message=Task Scheduler launched "{F1A62525-50AE-4EF6-A415-17310D496996}" instance of task "\T1053_005_WMI" for user "Users" . 11/10/2021 12:33:48 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14158 Keywords=None Message=Task Scheduler launched action "notepad.exe" in instance "{624D31B8-CDDE-42E6-9018-9920F8E51647}" of task "\T1053_005_WMI". 11/10/2021 12:33:48 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14157 Keywords=None Message=Task Scheduler started "{624D31B8-CDDE-42E6-9018-9920F8E51647}" instance of the "\T1053_005_WMI" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:48 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14156 Keywords=None Message=Task Scheduler launch task "\T1053_005_WMI" , instance "notepad.exe" with process ID 10148. 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14165 Keywords=None Message=Task Scheduler successfully finished "{B6B6B8B0-AA30-48F3-B77B-EF91D6C867CD}" instance of the "\T1053_005_OnStartup" task for user "NT AUTHORITY\SYSTEM". 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14164 Keywords=None Message=Task Scheduler successfully completed task "\T1053_005_OnStartup" , instance "{B6B6B8B0-AA30-48F3-B77B-EF91D6C867CD}" , action "cmd.exe" with return code 0. 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14163 Keywords=None Message=Task Scheduler launched "{B6B6B8B0-AA30-48F3-B77B-EF91D6C867CD}" instance of task "\T1053_005_OnStartup" for user "System" . 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14162 Keywords=None Message=Task Scheduler launched action "cmd.exe" in instance "{B6B6B8B0-AA30-48F3-B77B-EF91D6C867CD}" of task "\T1053_005_OnStartup". 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14161 Keywords=None Message=Task Scheduler started "{B6B6B8B0-AA30-48F3-B77B-EF91D6C867CD}" instance of the "\T1053_005_OnStartup" task for user "NT AUTHORITY\SYSTEM". 11/10/2021 12:33:50 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14160 Keywords=None Message=Task Scheduler launch task "\T1053_005_OnStartup" , instance "cmd.exe" with process ID 6816. 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14171 Keywords=None Message=Task Scheduler successfully finished "{66363E36-8EB3-46E6-A706-EB70982DC2E4}" instance of the "\T1053_005_OnLogon" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14170 Keywords=None Message=Task Scheduler successfully completed task "\T1053_005_OnLogon" , instance "{66363E36-8EB3-46E6-A706-EB70982DC2E4}" , action "cmd.exe" with return code 0. 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14169 Keywords=None Message=Task Scheduler launched "{66363E36-8EB3-46E6-A706-EB70982DC2E4}" instance of task "\T1053_005_OnLogon" for user "Administrator" . 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14168 Keywords=None Message=Task Scheduler launched action "cmd.exe" in instance "{66363E36-8EB3-46E6-A706-EB70982DC2E4}" of task "\T1053_005_OnLogon". 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14167 Keywords=None Message=Task Scheduler started "{66363E36-8EB3-46E6-A706-EB70982DC2E4}" instance of the "\T1053_005_OnLogon" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:52 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14166 Keywords=None Message=Task Scheduler launch task "\T1053_005_OnLogon" , instance "cmd.exe" with process ID 9864. 11/10/2021 12:33:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14175 Keywords=None Message=Task Scheduler launched "{E71D784F-95A1-4FAD-B005-FF99395AFC40}" instance of task "\spawn" for user "Administrator" . 11/10/2021 12:33:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14174 Keywords=None Message=Task Scheduler launched action "C:\windows\system32\cmd.exe" in instance "{E71D784F-95A1-4FAD-B005-FF99395AFC40}" of task "\spawn". 11/10/2021 12:33:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14173 Keywords=None Message=Task Scheduler started "{E71D784F-95A1-4FAD-B005-FF99395AFC40}" instance of the "\spawn" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14172 Keywords=None Message=Task Scheduler launch task "\spawn" , instance "C:\windows\system32\cmd.exe" with process ID 3100. 11/10/2021 12:33:56 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14177 Keywords=None Message=Task Scheduler successfully finished "{E71D784F-95A1-4FAD-B005-FF99395AFC40}" instance of the "\spawn" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:56 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14176 Keywords=None Message=Task Scheduler successfully completed task "\spawn" , instance "{E71D784F-95A1-4FAD-B005-FF99395AFC40}" , action "C:\windows\system32\cmd.exe" with return code 3221225786. 11/10/2021 12:33:59 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14181 Keywords=None Message=Task Scheduler launched "{E5C91693-EB73-444E-B4AC-2FCAED672010}" instance of task "\Run Notepad" for user "Administrator" . 11/10/2021 12:33:59 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14180 Keywords=None Message=Task Scheduler launched action "C:\Windows\System32\notepad.exe" in instance "{E5C91693-EB73-444E-B4AC-2FCAED672010}" of task "\Run Notepad". 11/10/2021 12:33:59 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14179 Keywords=None Message=Task Scheduler started "{E5C91693-EB73-444E-B4AC-2FCAED672010}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:33:59 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14178 Keywords=None Message=Task Scheduler launch task "\Run Notepad" , instance "C:\Windows\System32\notepad.exe" with process ID 2096. 11/10/2021 12:34:06 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14185 Keywords=None Message=Task Scheduler launched "{CD2435C3-7818-4133-97CC-4B9E14D2F802}" instance of task "\CreateExplorerShellUnelevatedTask" for user "Administrator" . 11/10/2021 12:34:06 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14184 Keywords=None Message=Task Scheduler launched action "C:\Windows\explorer.exe" in instance "{CD2435C3-7818-4133-97CC-4B9E14D2F802}" of task "\CreateExplorerShellUnelevatedTask". 11/10/2021 12:34:06 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14183 Keywords=None Message=Task Scheduler started "{CD2435C3-7818-4133-97CC-4B9E14D2F802}" instance of the "\CreateExplorerShellUnelevatedTask" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:34:06 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14182 Keywords=None Message=Task Scheduler launch task "\CreateExplorerShellUnelevatedTask" , instance "C:\Windows\explorer.exe" with process ID 9616. 11/10/2021 12:34:07 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14187 Keywords=None Message=Task Scheduler successfully finished "{CD2435C3-7818-4133-97CC-4B9E14D2F802}" instance of the "\CreateExplorerShellUnelevatedTask" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:34:07 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14186 Keywords=None Message=Task Scheduler successfully completed task "\CreateExplorerShellUnelevatedTask" , instance "{CD2435C3-7818-4133-97CC-4B9E14D2F802}" , action "C:\Windows\explorer.exe" with return code 2147942401. 11/10/2021 12:36:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=329 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task stopping due to timeout reached OpCode=Info RecordNumber=14191 Keywords=None Message=Task Scheduler terminated "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" instance of the "\Run Notepad" task due to exceeding the time allocated for execution, as configured in the task definition. User Action: Increase the configured task timeout or investigate external reasons for the delay. 11/10/2021 12:36:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14190 Keywords=None Message=Task Scheduler successfully finished "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:36:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14189 Keywords=None Message=Task Scheduler successfully completed task "\Run Notepad" , instance "{17A2062C-ECA9-4D3D-BD68-A325B75BDF7E}" , action "C:\Windows\System32\notepad.exe" with return code 2147943691. 11/10/2021 12:36:51 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14188 Keywords=None Message=Task Scheduler launch task "NT TASK\Run Notepad" , instance "taskhostw.exe" with process ID 7324. 11/10/2021 12:41:44 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14193 Keywords=None Message=Task Scheduler successfully finished "{E5C91693-EB73-444E-B4AC-2FCAED672010}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:41:44 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14192 Keywords=None Message=Task Scheduler successfully completed task "\Run Notepad" , instance "{E5C91693-EB73-444E-B4AC-2FCAED672010}" , action "C:\Windows\System32\notepad.exe" with return code 0. 11/10/2021 12:41:45 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14195 Keywords=None Message=Task Scheduler successfully finished "{624D31B8-CDDE-42E6-9018-9920F8E51647}" instance of the "\T1053_005_WMI" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:41:45 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14194 Keywords=None Message=Task Scheduler successfully completed task "\T1053_005_WMI" , instance "{624D31B8-CDDE-42E6-9018-9920F8E51647}" , action "notepad.exe" with return code 0. 11/10/2021 12:41:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14199 Keywords=None Message=Task Scheduler launched "{9CB9E11E-641B-4C29-A39C-76E932044E77}" instance of task "\Run Notepad" for user "Administrator" . 11/10/2021 12:41:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14198 Keywords=None Message=Task Scheduler launched action "C:\Windows\System32\notepad.exe" in instance "{9CB9E11E-641B-4C29-A39C-76E932044E77}" of task "\Run Notepad". 11/10/2021 12:41:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14197 Keywords=None Message=Task Scheduler started "{9CB9E11E-641B-4C29-A39C-76E932044E77}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:41:55 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14196 Keywords=None Message=Task Scheduler launch task "\Run Notepad" , instance "C:\Windows\System32\notepad.exe" with process ID 10104. 11/10/2021 12:42:00 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=111 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task terminated OpCode=Termination RecordNumber=14204 Keywords=None Message=Task Scheduler terminated "{9CB9E11E-641B-4C29-A39C-76E932044E77}" instance of the "\Run Notepad" task. 11/10/2021 12:42:00 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14203 Keywords=None Message=Task Scheduler successfully finished "{9CB9E11E-641B-4C29-A39C-76E932044E77}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:42:00 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14202 Keywords=None Message=Task Scheduler successfully completed task "\Run Notepad" , instance "{9CB9E11E-641B-4C29-A39C-76E932044E77}" , action "C:\Windows\System32\notepad.exe" with return code 2147943691. 11/10/2021 12:42:00 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14201 Keywords=None Message=Task Scheduler launch task "NT TASK\Run Notepad" , instance "taskhostw.exe" with process ID 6676. 11/10/2021 12:42:00 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=330 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task stopping due to user request OpCode=Info RecordNumber=14200 Keywords=None Message=Task Scheduler stopped instance "{9CB9E11E-641B-4C29-A39C-76E932044E77}" of task "\Run Notepad" as request by user "ATTACKRANGE\Administrator" . 11/10/2021 12:42:04 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=110 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task triggered by user OpCode=Info RecordNumber=14208 Keywords=None Message=Task Scheduler launched "{24278C90-80C7-48FC-9251-613D178FC50D}" instance of task "\Run Notepad" for user "Administrator" . 11/10/2021 12:42:04 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=200 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action started OpCode=Start RecordNumber=14207 Keywords=None Message=Task Scheduler launched action "C:\Windows\System32\notepad.exe" in instance "{24278C90-80C7-48FC-9251-613D178FC50D}" of task "\Run Notepad". 11/10/2021 12:42:04 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=100 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task Started OpCode=Start RecordNumber=14206 Keywords=None Message=Task Scheduler started "{24278C90-80C7-48FC-9251-613D178FC50D}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:42:04 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=129 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Created Task Process OpCode=Info RecordNumber=14205 Keywords=None Message=Task Scheduler launch task "\Run Notepad" , instance "C:\Windows\System32\notepad.exe" with process ID 7012. 11/10/2021 12:42:07 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=102 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Task completed OpCode=Stop RecordNumber=14210 Keywords=None Message=Task Scheduler successfully finished "{24278C90-80C7-48FC-9251-613D178FC50D}" instance of the "\Run Notepad" task for user "ATTACKRANGE\Administrator". 11/10/2021 12:42:07 PM LogName=Microsoft-Windows-TaskScheduler/Operational SourceName=Microsoft-Windows-TaskScheduler EventCode=201 EventType=4 Type=Information ComputerName=win-dc-469.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=Action completed OpCode=Stop RecordNumber=14209 Keywords=None Message=Task Scheduler successfully completed task "\Run Notepad" , instance "{24278C90-80C7-48FC-9251-613D178FC50D}" , action "C:\Windows\System32\notepad.exe" with return code 0.