OpenWith.exe

  • File Path: C:\WINDOWS\system32\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 C9B3F7E1EB1970A715FA56AB076A260B
SHA1 5D94ED57AE017D90E48449A7DE0A64B1A3620120
SHA256 7F1231BBCB8B271ABA5F6781C08C5CD43A1692FD72D9E3A51EE7DB24EF27B28A
SHA384 6CFA5466B9EB474A780E2771DFC0D47F31F7CD8399445A7ECEE6613C9266C75BC703F227CA6824A6E215F8E8D124BB04
SHA512 56FC8749D12A09C6D877524F228D891F947BFBA86EAC4DBF95BA64D47014DB2E190F5B2DDAC03688F4B64250A71F614742819146330455B34781C2742CE41324
SSDEEP 1536:c4TlRoYQuigA7yfSJopqs4V5wqBoqJSTlXXyfzEEfKQTzBNer+CE+Ge+iP2b:1oYQN7epqhNShSY4rer+CE+GcOb

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 44
C:\windows\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 41
C:\Windows\system32\OpenWith.exe 50
C:\WINDOWS\system32\OpenWith.exe 33
C:\Windows\system32\OpenWith.exe 38
C:\Windows\system32\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 43
C:\windows\SysWOW64\OpenWith.exe 44
C:\Windows\SysWOW64\OpenWith.exe 41
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 44
C:\Windows\SysWOW64\OpenWith.exe 40
C:\WINDOWS\SysWOW64\OpenWith.exe 49
C:\WINDOWS\SysWOW64\OpenWith.exe 46

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.