OfficeClickToRun.exe

  • File Path: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
  • Description: Microsoft Office Click-to-Run (SxS)

Hashes

Type Hash
MD5 67E6E37998718F746BA52EAF94C4C0A7
SHA1 83E7ABE8C919C75660B4F7E327DAE54A92064BB1
SHA256 1DC68C7EB3FC39E118521C7425C47DA841283A076CC422A480BF9EF637C43000
SHA384 40470A92BE3DBF6535AD08F7C6EB7B153822D6DC88689970C63BC25219267AF64B48E5A5470106F03FD90241D700E350
SHA512 21521AAC07B47A3386DD789A5CCDBE0175799DFBFE5758670A35A6B642B89578ECFAA4E0086DFE3B734BCE1AF317671339AA2F5650705AC317B182C01C193F3C
SSDEEP 98304:GhDYh+CeHpUwnAJV84AB9Jn8Ed00k9Tfd1WKh:2lJHpUwkO4QD8Ed0XBdoKh
IMP 2D9EA2C08EF74C8E5D312E84CD0D4957
PESHA1 FF5F784E0CB5845EB6220A36DB74FB20B0D92D53
PE256 ADCB9FC726E8A639F011A43E0C85DAAC4757E80F4844477DCA039021A8D2FED6

Runtime Data

Loaded Modules:

Path
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CE7C9ACE7D905ED2B70000000002CE
  • Thumbprint: B10607FB914700B40F794610850C1DE0A21566C1
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OfficeClickToRun.exe
  • Product Name: Microsoft Office
  • Company Name: Microsoft Corporation
  • File Version: 16.0.12527.20470
  • Product Version: 16.0.12527.20470
  • Language: Language Neutral
  • Legal Copyright:
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/1dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000/detection/

Possible Misuse

The following table contains possible examples of OfficeClickToRun.exe being misused. While OfficeClickToRun.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe \| stats values(CommandLine) by Computer MIT License. © 2018 Red Canary
atomic-red-team Atomic_Friday.md (index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe \| table Computer, User, CommandLine, _time MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.