We additionally observed the creation of a scheduled task named “Business Aviation” with the command line “wscript REHABI~1.JS” (as shown in Figure 3). This was suspected to be a persistence method in which the threat actor was utilizing WScript.exe to execute the second-stage payload of GootKit.