Scheduled Tasks
ps c:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
SoftwareUpdates \ Running
UpdateServer \ Ready2 none default scheduled tasks have been identified
\SoftwareUpdates
PS C:\> cmd /c schtasks /QUERY /TN \SoftwareUpdates /V /FO LIST
Folder: \
HostName: ATOM
TaskName: \SoftwareUpdates
Next Run Time: N/A
Status: Running
Logon Mode: Interactive only
Last Run Time: 1/8/2024 6:12:52 PM
Last Result: 267009
Author: ATOM\Administrator
Task To Run: C:\Users\jason\appdata\roaming\cache\run.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: jason
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Users\jason\appdata\roaming\cache\run.bat
C:\Users\jason\appdata\roaming\cache\run.bat
ps c:\> cat C:\Users\jason\appdata\roaming\cache\run.bat
@echo off
:LOOP
echo Running Executables
start /b c:\Users\jason\appdata\Local\programs\heedv1\heedv1.exe > nul
start /b c:\Users\jason\appdata\Local\programs\heedv2\heedv2.exe > nul
start /b c:\Users\jason\appdata\Local\programs\heedv3\heedv3.exe > nul
echo Wait for updates
ping -n 30 127.0.0.1 > nul
echo Killing Executables
taskkill /F /IM heedv1.exe
taskkill /F /IM heedv2.exe
taskkill /F /IM heedv3.exe
ping -n 30 127.0.0.1 > nul
cls
goto :LOOP
:EXITThis batch script appears to be the “updater” that fetches the latest.yml file from those 3 “client” directories
It also kills the running process to avoid botched updates and wait out in-between operation
\UpdateServer
PS C:\> cmd /c schtasks /QUERY /TN \UpdateServer /V /FO LIST
Folder: \
HostName: ATOM
TaskName: \UpdateServer
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive only
Last Run Time: 1/8/2024 6:12:52 PM
Last Result: 0
Author: ATOM\Administrator
Task To Run: C:\Users\jason\appdata\roaming\cache\http-server.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: jason
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Users\jason\appdata\roaming\cache\http-server.bat
C:\Users\jason\appdata\roaming\cache\http-server.bat
ps c:\> cat C:\Users\jason\appdata\roaming\cache\http-server.bat
@echo off
echo Starting servers
start /b c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client1 -p 8081
start /b c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client2 -p 8082
start /b c:\users\jason\downloads\node_modules\.bin\http-server c:\software_updates\client3 -p 8083Judging by the listed directory, this batch script might be part of the run.bat file above
Those processes use ports found earlier; 8081, 8082,8083
ps c:\> ls Software_Updates
directory: C:\Software_Updates
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/9/2024 5:33 AM client1
d----- 1/9/2024 5:33 AM client2
d----- 1/9/2024 5:33 AM client3
-a---- 4/9/2021 4:18 AM 35202 UAT_Testing_Procedures.pdfthe c:\Software_Updates directory is one of the SMB shares
This would meant hat those 3 “client” directories are served over HTTP