VBS Downloader and Defender Control
An attacker logged into the honeypot and ran a batch file that created a vbs script that attempted to download something that uses Tor, possibly a coin miner. The download was blocked by the content filtering system but the attacker seemed to think Defender blocked it. The attacker then downloaded an application named Defender Control to turn off Defender. See the timeline, details, sandbox run and IOCs below.