Potentially Suspicious Cabinet File Expansion

Image : 

'\expand.exe

CommandLine : 

'-F:'

':\Perflogs\'

':\ProgramData'

':\Users\Public\'

':\Windows\Temp\'

'\Admin$\'

'\AppData\Local\Temp\'

'\AppData\Roaming\'

'\C$\'

'\Temporary Internet'

':\Users\'

'\Favorites\'

':\Users\'

'\Favourites\'

':\Users\'

'\Contacts\'   

ParentImage : 

'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'

CommandLine : 

'C:\ProgramData\Dell\UpdateService\Temp\'

Detection Query 1:

(resourcename = "Windows Security"  AND eventtype = "4688" ) AND (processname like "\expand.exe"  AND processcommandline like "-F:" ) AND ((processcommandline like ":\Perflogs" or processcommandline like ":\ProgramData" or processcommandline like ":\Users\Public" or processcommandline like ":\Windows\Temp" or processcommandline like "\Admin$" or processcommandline like "\AppData\Local\Temp" or processcommandline like "\AppData\Roaming" or processcommandline like "\C$" or processcommandline like "\Temporary Internet") OR (processcommandline like ":\Users" AND (processcommandline like "\Favorites" or processcommandline like "\Favourites") AND processcommandline like "\Contacts")) AND  (parentprocessname not like "C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" AND processcommandline not like "C:\ProgramData\Dell\UpdateService\Temp")

Detection Query 2:

(technologygroup = "EDR" ) AND (processname like "\expand.exe"  AND processcommandline like "-F:" ) AND ((processcommandline like ":\Perflogs" or processcommandline like ":\ProgramData" or processcommandline like ":\Users\Public" or processcommandline like ":\Windows\Temp" or processcommandline like "\Admin$" or processcommandline like "\AppData\Local\Temp" or processcommandline like "\AppData\Roaming" or processcommandline like "\C$" or processcommandline like "\Temporary Internet") OR (processcommandline like ":\Users" AND (processcommandline like "\Favorites" or processcommandline like "\Favourites") AND processcommandline like "\Contacts")) AND  (parentprocessname not like "C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" AND processcommandline not like "C:\ProgramData\Dell\UpdateService\Temp")