Update 2: So I ran ESET's Online Scanner was able to identify the culprit as a Trojan.BitCoinMiner or RiskWare.BitCoinMiner. It found 2 instances:
When that was cleaned up, I let the server idle for a while, and when I came back, LogBack.exe (in Temp) was consuming most of the CPU, the registry entries were back and the Firewall was turned off. I killed the running process, deleted the registry entries and started the Firewall.
Then I found this article on Bleeping Computers to remove a Trojan.BitCoinMiner
I ran Malwarebytes and it discovered 3 instances:
I ran through all the other steps in the article, but they didn't yield any more useful results.
However, Malwarebytes has been quietly running in the background and blocking multiple (11 so far) incoming Russian IPs on port 443 as "compromised". But it also blocked one outgoing Ukraine IP (220.127.116.11 on port 80) and tagging it as "Trojan". The web request came from:
"The call is coming from inside the house." So that only happened once, but it appears that some process fired off a PS script that tried to call home and failed. But, I've had TaskMan running on the side of the screen the whole time and every now and then I see powershell.exe popup for a second and disappear again. At this point, I don't know if that's a server thing or this trojan.
In any case, it hasn't reappeared since I installed and ran Malwarebytes, but I'll have to let the server idle again to see if it returns.