OpenWith.exe

  • File Path: C:\Windows\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 C6CEF89904DEC9404CCCD414E353C344
SHA1 E6853843F2A70BF03B2B107758A22F3F951AAA67
SHA256 FCF7C8545CDC4763B0D74D94F06E29F0DDFFDBADCABD096A35D82959B9F562E2
SHA384 72A404E7B003397D9EABA4512EE859BE04A9CD4B5CE81F36004EB1216A6A3FA1A2B11AF0C5F17EF17BC83250FEE4D92B
SHA512 46434021876CCD62569CA7AC2CB2FF30D91F9B3AEBA136600410B3DC4E9AB88E5EAC7973DDAF4C4EBA17C08CBE198A90E41E8BF08379B8CBA3F7ACB5EEE82348
SSDEEP 1536:hl6g16xnOg26tRxwMF50aimuCHLswrKyLFKQfKQTzBNer+CE+Ge+av7FPW4yA:76cOtRxwavr3wkrer+CE+G8F+A
IMP FDF10BE5B78520728DF2C4E8D89DF1DA
PESHA1 C4C4320439BED35070F6076226994E84FE6BB5C0
PE256 6D72574D24E24544AA2278CCF89392E2BFBE846F6A6E73656DC115C260D42AB0

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\oleaccrc.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\RPC Control\DSEC618 Section
\Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\OpenWith.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1075 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1075
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/fcf7c8545cdc4763b0d74d94f06e29f0ddffdbadcabd096a35d82959b9f562e2/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 40
C:\windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 47
C:\Windows\system32\OpenWith.exe 41
C:\WINDOWS\system32\OpenWith.exe 40
C:\Windows\system32\OpenWith.exe 44
C:\windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 47
C:\Windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 46
C:\WINDOWS\SysWOW64\OpenWith.exe 47

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.