OpenWith.exe

  • File Path: C:\windows\system32\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 2C56E3290BED2E82AE666EEA01843073
SHA1 2545605A4CB1F45782DB18A823488EFDB1D4E206
SHA256 D3BC9D22081EDA2D6192AB50A7DB3BB1372A979A13F22D29AAFEC4D325CCAF9F
SHA384 D507CBAC2EB5AE9828437C24ED6DBB38EADFBE557CC3753549AFC9E8E814D09240299F5906AC0AEFE616F0E1247B2CF4
SHA512 095CF7B6DEFC52FE5A7168C86831A8D349D2EF41D50863C4920867572F4861C6B4D2CC7A5650BAB453D064D6A848A0F80C5EBE31DFC54A7BBDE48FF7A41F9CE0
SSDEEP 1536:Hu7g+wNGlCpntLJE41YEQ7yz09XfKQTzBNer+CE+Ge+yiyP1rf:x+wNwCptL1YGEvrer+CE+G8iytL

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 41
C:\Windows\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 46
C:\WINDOWS\system32\OpenWith.exe 40
C:\WINDOWS\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 43
C:\windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 41
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 46

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.