OpenWith.exe

  • File Path: C:\windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 1DFE1ED0A9EF0FA4FFE8D08DFB00F121
SHA1 730D5A899C44D197B91753F2606F3BACCA9D6B89
SHA256 77378C8D09E7841CFCC31D42ECC2AC828898E2958240D2D0966D82C9229F641F
SHA384 96E359F26B0172A46DF1E6B28F0E250D33B4509D45560BEECC06AB16B875079B52EC7B9B0B4ABF143428E215B485A7D5
SHA512 9B079D68B3F3C55547C6F1E126A24F355DC6CC735517AFF281D3CAE129FF736BADA5ADADD66D9CCEDF6757EA341A07437B08E26E4F35E6377B538049CC510E5E
SSDEEP 1536:T3DBzpaYdYXvcOyzjXfKQTzBNer+CE+Ge+gGWzP7E:bqX1yXvrer+CE+GNmQ

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 43
C:\windows\system32\OpenWith.exe 49
C:\Windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 47
C:\WINDOWS\system32\OpenWith.exe 35
C:\WINDOWS\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 50
C:\Windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 47
C:\Windows\SysWOW64\OpenWith.exe 52
C:\Windows\SysWOW64\OpenWith.exe 43
C:\WINDOWS\SysWOW64\OpenWith.exe 43
C:\WINDOWS\SysWOW64\OpenWith.exe 46

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.