verclsid.exe

  • File Path: C:\Windows\SysWOW64\verclsid.exe
  • Description: Extension CLSID Verification Host

Hashes

Type Hash
MD5 FBBBBA89EFE4C6DD0CAC5CEAFC9342F0
SHA1 AD576D95E15E1DD55543A182DFF9452510D3E306
SHA256 50259658B30D267DB199A0805E0986798DD799E18700FD198B894CE9E04DB851
SHA384 40E9568C7C5C5EB1569C5216BFD44DBA8E89C784AE6A7F38D1B1F3A963198A7021A64FCE2E561113C7C9D85C154DC7CB
SHA512 4393D0FD1D12BCBCDFFDBC4973AC43823C68FB1F5BDDB77126E6D40479175670BB9F6AB94CD50FC918A2C2D5A5AEF6D8FCF4ABD757D4F5C20485E998D4F3161E
SSDEEP 192:N11qDr34PivAauMnDXD1MJVRaqXWNNW9w:PQjiivAauMzDWJeiWNNW
IMP BDC7940F5DE0DB2F5978F34E0BD82FF0
PESHA1 1A628299620531687406291DE136973D58701419
PE256 E4583FC03595147982CEBD97D0CE544948DE13E7822D034B8257F28E01110EE6

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\verclsid.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: verclsid.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/50259658b30d267db199a0805e0986798dd799e18700fd198b894ce9e04db851/detection/

Possible Misuse

The following table contains possible examples of verclsid.exe being misused. While verclsid.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_malware_verclsid_shellcode.yml title: Malware Shellcode in Verclsid Target Process DRL 1.0
sigma proc_access_win_malware_verclsid_shellcode.yml description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro DRL 1.0
sigma proc_access_win_malware_verclsid_shellcode.yml TargetImage\|endswith: '\verclsid.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*verclsid*' DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml title: Verclsid.exe Runs COM Object DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml description: Detects when verclsid.exe is used to run COM object via GUID DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml Image\|endswith: '\verclsid.exe' DRL 1.0
LOLBAS Verclsid.yml Name: Verclsid.exe  
LOLBAS Verclsid.yml - Command: verclsid.exe /S /C {CLSID}  
LOLBAS Verclsid.yml - Path: C:\Windows\System32\verclsid.exe  
LOLBAS Verclsid.yml - Path: C:\Windows\SysWOW64\verclsid.exe  
atomic-red-team index.md - T1218.012 Verclsid CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.012 Verclsid CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Verclsid CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Verclsid CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.