extrac32
CAB extraction utility bundled with Internet Explorer. Less monitored than expand.exe, can extract payloads from CAB archives.
Binary Paths
C:\Windows\System32\extrac32.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where ext*32.exe') do %i /e /y payload.cab C:\out\
|
Star matches 'rac' between 'ext' and '32' |
for /f %i in ('where extrac*.exe') do %i /e /y payload.cab C:\out\
|
Star suffix matches '32.exe' |
for /f %i in ('where ext?ac32.exe') do %i /e /y payload.cab C:\out\
|
Single char wildcard replaces 'r' |
for /f %i in ('dir /b C:\Windows\System32\extrac*.exe') do %i /e payload.cab C:\out\
|
dir /b glob finds extrac32.exe in System32 |
forfiles /p C:\Windows\System32 /m ext*32.exe /c "@file /e payload.cab C:\out\"
|
forfiles * mask finds extrac32.exe — @file expands to matched filename |
C:\Windows\System32\EXTRAC~1.EXE /e /y payload.cab C:\out\
|
8.3 SFN — EXTRAC~1 auto-generated for extrac32.exe; requires NtfsDisable8dot3NameCreation=0 |
for %i in (C:\Windows\System32\extrac*.exe) do @%i /e /y payload.cab C:\out\
|
Native CMD for loop with filesystem glob — expands extrac*.exe directly in System32 without where.exe |
for /f %i in ('where /r C:\Windows\System32 extrac*.exe') do %i /e /y payload.cab C:\out\
|
Recursive where search scoped to System32 — locates extrac32.exe without spelling full binary name |
Pattern Tester
$
Try typing extrac32 or a full path like C:\Windows\System32\extrac32.exe
YARA Rule
Auto-generated detection rule for extrac32
Platform Notes
extrac32.exe is a legacy CAB extraction utility. The /e flag extracts all files. It is often overlooked in EDR rule sets compared to certutil or expand. In batch scripts use %%i instead of %i.