If you want, I can:
Gather context from:
The SIEM says: "Process executed from temp directory by wscript.exe." effective threat investigation for soc analysts pdf