Recommended Remediations-Suspicious Software/Malware Executed

The document outlines the general Cybersecurity recommendations for manual remediation, when re-imaging the affected device is not possible. Cybersecurity always recommends re-imaging the affected device for complete remediation when possible. The steps outlined is not comprehensive. New techniques are continuously emerging to evade detection and removal.

Terminate Running Process Associated with the Application

Review Task Manager for any tasks in the Processes tab for suspicious processes and terminate suspicious processes. Suspicious processes often have:

  • Unfamiliar process names
  • Process names you don't recognize
  • Process names similar to the suspicious application (names with slight misspelling or variations)
  • High CPU, memory, or disk consumption
  • Command line indicate process is being ran from %AppData% (example path is C:\Users\<username>\AppData\)

task manager navigations

Remove Scheduled Tasks/Persistence Mechanisms Associated with Application

Review Task Scheduler for scheduled tasks associated with the application and delete all scheduled tasks associated with the application. Scheduled tasks name associated with the application may contain the name or a slight variation of the name of the application. Ensure option to view hidden tasks is checked, suspicious applications may attempt to hide scheduled task in the standard Task Scheduler view.

scheduled task outline and analysis screenshot

Remove Registry Entries Associated with Application

The following registry locations should be reviewed for registry entries associated with the application and removed:

  • RunOnce registry keys executes a program when a user logs on. The program runs one time and the key is deleted.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (paths for all users)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (path for current user)
  • Run registry keys execute a program every time when the user logs on.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (paths for all users)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (path for current user)
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_CURRENT_USER\Software

Remove Files Associated with Application

Ensure that all processes associated with the application are fully terminated and associated scheduled tasks/persistence mechanisms have been disabled/deleted before proceeding with file removal. If any associated processes and scheduled tasks/persistence remains, file removal maybe unsuccessful.

The following actions should be taken to attempt to identify and remove file/folder entries associated with the application:

  • Complete a Full Scan with Cisco Secure Endpoint
  • Manually review the following file locations for files/folder associated with the application. The names of the files/folder may contain slight misspellings or variation of the application name. 
    • C:\Users\<username>\AppData\Local
    • C:\Users\<username>\AppData\Roaming
    • C:\Users\<username>\Downloads


Keywords:
recommended cybersecurity recommendations remediation malware executed scheduled task hidden recurring infected 
Doc ID:
157153
Owned by:
Jennifer K. in Cybersecurity Testing and Cyber Defense
Created:
2025-12-09
Updated:
2025-12-09
Sites:
Cybersecurity Operations Center, Cybersecurity Testing and Cyber Defense