OfficeClickToRun.exe

File Path: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
Description: Microsoft Office Click-to-Run (SxS)

Hashes

Type	Hash
MD5	`67E6E37998718F746BA52EAF94C4C0A7`
SHA1	`83E7ABE8C919C75660B4F7E327DAE54A92064BB1`
SHA256	`1DC68C7EB3FC39E118521C7425C47DA841283A076CC422A480BF9EF637C43000`
SHA384	`40470A92BE3DBF6535AD08F7C6EB7B153822D6DC88689970C63BC25219267AF64B48E5A5470106F03FD90241D700E350`
SHA512	`21521AAC07B47A3386DD789A5CCDBE0175799DFBFE5758670A35A6B642B89578ECFAA4E0086DFE3B734BCE1AF317671339AA2F5650705AC317B182C01C193F3C`
SSDEEP	`98304:GhDYh+CeHpUwnAJV84AB9Jn8Ed00k9Tfd1WKh:2lJHpUwkO4QD8Ed0XBdoKh`
IMP	`2D9EA2C08EF74C8E5D312E84CD0D4957`
PESHA1	`FF5F784E0CB5845EB6220A36DB74FB20B0D92D53`
PE256	`ADCB9FC726E8A639F011A43E0C85DAAC4757E80F4844477DCA039021A8D2FED6`

Runtime Data

Loaded Modules:

Path
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll

Signature

Status: Signature verified.
Serial: 33000002CE7C9ACE7D905ED2B70000000002CE
Thumbprint: B10607FB914700B40F794610850C1DE0A21566C1
Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: OfficeClickToRun.exe
Product Name: Microsoft Office
Company Name: Microsoft Corporation
File Version: 16.0.12527.20470
Product Version: 16.0.12527.20470
Language: Language Neutral
Legal Copyright:
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/72
VirusTotal Link: https://www.virustotal.com/gui/file/1dc68c7eb3fc39e118521c7425c47da841283a076cc422a480bf9ef637c43000/detection/

Possible Misuse

The following table contains possible examples of OfficeClickToRun.exe being misused. While OfficeClickToRun.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	registry_event_asep_reg_keys_modification_common.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_currentversion.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_currentversion_nt.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_office.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_wow6432node.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_office_vsto_persistence.yml	`- '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_outlook_registry_todaypage.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0
sigma	registry_event_removal_com_hijacking_registry_key.yml	`Image\\|endswith: '\OfficeClickToRun.exe'`	DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.