OpenWith.exe

  • File Path: C:\WINDOWS\system32\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 49A571B29C15214D0D3B58A6A5180680
SHA1 B4639EDC0285118FB6A9E0158DF1F8A48BAA8214
SHA256 5C30CF9A2A8BBBB5443C2BB0ED86B734CF6DD0E0CE2535A16E7D2C1C90E84FE7
SHA384 20331E5307E98ABA63E8EE4A629269D72F42F4F1527920970FBD0A93F7E8812F0E2CCC796748F4B1FE26163346F6B6B0
SHA512 5C6F2758387C858B8FDEEEA57189F9ADF1BAB093AEE0ED4A21DA57B61B43C4D3904AEA25EA0281C395F5AF6C6C18FACB5EE73D8518AD5A488293510D9E4AEC86
SSDEEP 3072:y8vlpCchdWFl9Lzi+rgpoYBRdKVavM9rer+CE+GLFD:y8tcchdWFl9Lzi+rgpouRdKgv4eLE+Gd
IMP F7C27A7B78A900322B3928CA54949F5F
PESHA1 F20C44B69CB8A80C5C17A75CFC05941BC33EB11D
PE256 7AC7159E9012E8D1D095B09686B92AA027C587B6708464D5845D473FA4FF13EE

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SystemResources\twinui.dll.mun File
(R-D) C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\IMM32.DLL
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\OpenWith.exe
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\SHCORE.dll
C:\WINDOWS\System32\SHELL32.dll
C:\WINDOWS\System32\SHLWAPI.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll
C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/5c30cf9a2a8bbbb5443c2bb0ed86b734cf6dd0e0ce2535a16e7d2c1c90e84fe7/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 33
C:\windows\system32\OpenWith.exe 40
C:\Windows\system32\OpenWith.exe 40
C:\Windows\system32\OpenWith.exe 35
C:\WINDOWS\system32\OpenWith.exe 33
C:\Windows\system32\OpenWith.exe 29
C:\Windows\system32\OpenWith.exe 40
C:\Windows\SysWOW64\OpenWith.exe 40
C:\windows\SysWOW64\OpenWith.exe 35
C:\Windows\SysWOW64\OpenWith.exe 30
C:\Windows\SysWOW64\OpenWith.exe 33
C:\Windows\SysWOW64\OpenWith.exe 40
C:\Windows\SysWOW64\OpenWith.exe 40
C:\WINDOWS\SysWOW64\OpenWith.exe 38
C:\WINDOWS\SysWOW64\OpenWith.exe 41

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.