Emotet: Variants...Has anyone dealt with any strange stuff?

Hey guys, I am new here, I have joined a couple forums over the last few days, trying to get some information.
I just cleaned out a crazy persistent emotet infection, and I am having some trouble figuring out a baseline now. I need to know if you guys have named pipes set to allow anonymous shares configured by svchost with scTbePrivelege normally, ideally immediately following clean install. The information can be found in event viewer under Application and service logs/microsoft/windows/smb server and also SMB client path. That was the ingress point and after cleaning the infection with nuke and pave the pipes are set back to that same setting with activity from untrackable processes. So I bought a new laptop just to check it out, and strangely, there was one entry in event logs from last year, where a pipe was set to allow anonymous users and then configured as a netBT endpoint. Terminal server logs show the pipe used in + out once . To me, this is very odd. Can anyone enlighten me? Win10 19042, also saw behavior on 20h