verclsid.exe

  • File Path: C:\windows\system32\verclsid.exe
  • Description: Extension CLSID Verification Host

Hashes

Type Hash
MD5 EFCD1B250FCF76563CA2DB15CDF9A9B6
SHA1 4C401D1E673493C9B1638D5D0D795C781C410077
SHA256 C70E4DED6A371904DFF62CC9EF4BD3C723C41DD615083DA811940386D08D5538
SHA384 C9C7F51F94CF41E46FF34324E889465D6F65FDCCA7722CD53EE50B10B1209BA7952B90241B9A0B4D243335C78EFB838E
SHA512 B6C18A6852CE9FC90A4E4F972B7ED8B3F6C6D86D161AB4653B0B3F0FEBDD2CEE7F4C7EBA05D3F1CC0C2196DAF5376132C2DF5EFB3E4206837A9A021B6D700C26
SSDEEP 192:KACPC3Lq587T/UoXqbPVdAqtp6Ef7wE9D7EAEjGeKr8EtskfWkNW:tfLm87TMBOSNerjGeJosAWkNW

Signature

  • Status: The file C:\windows\system32\verclsid.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: verclsid.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of verclsid.exe being misused. While verclsid.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_malware_verclsid_shellcode.yml title: Malware Shellcode in Verclsid Target Process DRL 1.0
sigma proc_access_win_malware_verclsid_shellcode.yml description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro DRL 1.0
sigma proc_access_win_malware_verclsid_shellcode.yml TargetImage\|endswith: '\verclsid.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'verclsid' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*verclsid*' DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml title: Verclsid.exe Runs COM Object DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml description: Detects when verclsid.exe is used to run COM object via GUID DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml DRL 1.0
sigma proc_creation_win_verclsid_runs_com.yml Image\|endswith: '\verclsid.exe' DRL 1.0
LOLBAS Verclsid.yml Name: Verclsid.exe  
LOLBAS Verclsid.yml - Command: verclsid.exe /S /C {CLSID}  
LOLBAS Verclsid.yml - Path: C:\Windows\System32\verclsid.exe  
LOLBAS Verclsid.yml - Path: C:\Windows\SysWOW64\verclsid.exe  
atomic-red-team index.md - T1218.012 Verclsid CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.012 Verclsid CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Verclsid CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Verclsid CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.