So upon further self-examination, I remembered to check Windows Task Scheduler and I did find an entry there that was set to invoke wscript every 2 minutes in an attempt to run the payload script file (which I uploaded originally). I deleted that entry. I then found a very small .iso file in the client's Download folder so I must assuem they received it via an email attachment and then opened it. I am attaching that iso file to this msg. A paid Malwarebytes Premium is running on the client computer so maybe it somewhat thwarted the infection but I am sorely disappointed that it is not detecting the payload files. At this time, I don't see a need to run any more diagnostic or logging tools but I hope you (or someone) reviews the iso payload and can help get this type of attack "detected". Thanks.