OpenWith.exe

  • File Path: C:\Windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 53E3F9F13C4C20B32CDA36FDEE865890
SHA1 2D00DE8557AC739E93E07B376FAD859AC7E15752
SHA256 3A796E0D682BD590B4C0AC50C8BCF80FADC6331FE83FBD6F2DE67148B4DA7005
SHA384 3A2BB748C9E185EE1FAD2959EDCC828FE2169D1D315983629C87A371DB95B4AA047AA1F938836705D46629CDD0DF487F
SHA512 DDBEC8B6BC4A2A1EA96DE2D5C983702DFA14ECB14ADCB31A2DD55338845DD1B1C9C4076B3FDA8BE9D38876502A50C845EA82BC9A8152AF73E7E15272B20AAC0F
SSDEEP 1536:gx2TCjRqyegzTJ8VcJQyAO50aimJ1JsaeQyrFumfKQTzBNer+CE+Ge+MgTq2lPxH:rTCjHPJQymaexs6rer+CE+G9lpH
IMP 753F8F3C01391963EA78BBF3E74B5A84
PESHA1 21FF10713EACCC10FDDF950D05D23246429639F4
PE256 3F9DC14DBA11995D9B1F2F2A36B8B87F5CA7F0C2818AF92AABAB9A6620FE64EC

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SystemResources\twinui.dll.mun File
(R-D) C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\OpenWith.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.423 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.423
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/3a796e0d682bd590b4c0ac50c8bcf80fadc6331fe83fbd6f2de67148b4da7005/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 43
C:\windows\system32\OpenWith.exe 41
C:\Windows\system32\OpenWith.exe 36
C:\Windows\system32\OpenWith.exe 38
C:\WINDOWS\system32\OpenWith.exe 41
C:\Windows\system32\OpenWith.exe 43
C:\windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 91
C:\Windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 47
C:\WINDOWS\SysWOW64\OpenWith.exe 47

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.