OpenWith.exe

  • File Path: C:\Windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 0ED31792A7FFF811883F80047CBCFC91
SHA1 7E2E07E9B8F0A3F18C37A0CF3A636442F2A2E6E8
SHA256 CF70792BFC6FC236091237BAD043F0BE6BD398CAE72AC97346E471DF3D118031
SHA384 368D213DD36FC967A153F5B707B99485D4E7582E4BC25F92CACA2B466E8B818247542D34C7137E7273A5F1F29D9D5499
SHA512 E7AA678DE32F77527F9F62DFD8DBA0AFC3CA37076F337E04FCFD287FF3151CD722B35F587FB570CF9B77A9EA744E10EB81CAD0C2FB6CA82FCB5BA058159944A2
SSDEEP 1536:r0RxJf9ClqiNgxDJwwrbAytK50aimylPnai5yWF+mfKQTzBNer+CE+Ge+MRUPqM:oVf9CitbAyBaiAv6rer+CE+GUUS
IMP 753F8F3C01391963EA78BBF3E74B5A84
PESHA1 6CAB200A2EB56AC9C3C6AB28780CC6ACBEDD871B
PE256 6F6A5D82E55C93B6DFFAAD19DED576196EEEADD1A190124239DF5C377C3D0F2F

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SystemResources\twinui.dll.mun File
(R-D) C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
(RWD) C:\Windows\Fonts\seguisym.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\OpenWith.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.746 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.746
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/cf70792bfc6fc236091237bad043f0be6bd398cae72ac97346e471df3d118031/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 50
C:\windows\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 40
C:\Windows\system32\OpenWith.exe 44
C:\WINDOWS\system32\OpenWith.exe 40
C:\WINDOWS\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 43
C:\windows\SysWOW64\OpenWith.exe 50
C:\Windows\SysWOW64\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 52
C:\Windows\SysWOW64\OpenWith.exe 41
C:\Windows\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 50

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.