We also noted the utilization of the command C:\Windows\System32\cscript.exe REHABI~1.JS spawning PowerShell.exe, as shown in Figure 4. The cscript.exe command line tool is specific to Windows Server. The commands passed to PowerShell were not captured in this case.