OpenWith.exe

  • File Path: C:\Windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 A633739DA182E75C0D6741119A902A0B
SHA1 26D3C98CFCDE9F6BF74F7131935653EE06661541
SHA256 05DA72B7B1906C504482410E2F2F4D57D41ADA140DA833D1AB5B9195AB80A3E0
SHA384 D027F0E71FDB35F897B0AF55BBF0BCC07C07AF7BC722B5A50E478CCC4690763023F1248DDC6C4D59EC63D59ABB4B1B85
SHA512 3334DBA8E90E35A4881A1B7E4AD417861E908ECD1C8DF0D27C43346DFE836BE17C8AE2EF2ED188D7E8B866620C526F76CA33DA0EB037234868DD60302BEDA21C
SSDEEP 1536:TxTONUUIeF6ZyGhAUfKQTzBNer+CE+Ge+aPRL:rNKIrer+CE+GgpL

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 43
C:\windows\system32\OpenWith.exe 49
C:\Windows\system32\OpenWith.exe 43
C:\Windows\system32\OpenWith.exe 43
C:\WINDOWS\system32\OpenWith.exe 40
C:\WINDOWS\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 49
C:\Windows\system32\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 41
C:\windows\SysWOW64\OpenWith.exe 52
C:\Windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 54
C:\WINDOWS\SysWOW64\OpenWith.exe 49

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.