Tag
Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.