[2021]: Rc-corvt.cab

During the installation of an older graphics driver, a printer driver, or a virtualization tool.

title: Suspicious Cabinet File Extraction in Temp Folder status: experimental logsource: product: windows service: sysmon detection: selection: Image|endswith: - '\expand.exe' - '\extrac32.exe' CommandLine|contains: - 'C:\Users\*\AppData\Local\Temp\*.cab' - 'C:\Windows\Temp\*.cab' CommandLine|contains: '-F:*' # Extract all files condition: selection rc-corvt.cab