OpenWith.exe

  • File Path: C:\Windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 64148E3F7B8519DCB04FE5E96D5F1184
SHA1 06A08438ABDB64FE3AE0C80FB432F0A0DC66A14A
SHA256 39289ABE68243EAA414BB59F3F918BEFD358FA8465EE83A50BA93E33F8F9AF64
SHA384 954868D78889BAF20B5CBDD3ECC7F685A3B2464DE225EF26BE18FE0377E43785A0ACD46A14DBD8E298E1894B04B0E827
SHA512 F50F43B553D98B1C175CAFA635EE3DFD698B726A8D61DA7A3DD558D35FFDA83E49D550AA153554DE63FDAD019C8DBB90CAFB7C2A7A7DB73B54E951FD22469210
SSDEEP 1536:qx2TCjRqyegzTJ8VcJQyAO50aimJ1JsaeQyrFI0fKQTzBNer+CE+Ge+MgTqXPTQ:pTCjHPJQymaex6orer+CE+GW7Q

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 40
C:\windows\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 40
C:\Windows\system32\OpenWith.exe 41
C:\WINDOWS\system32\OpenWith.exe 33
C:\WINDOWS\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 52
C:\windows\SysWOW64\OpenWith.exe 47
C:\Windows\SysWOW64\OpenWith.exe 91
C:\Windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 43
C:\WINDOWS\SysWOW64\OpenWith.exe 50

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.