OpenWith.exe

  • File Path: C:\Windows\system32\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 E4A834784FA08C17D47A1E72429C5109
SHA1 29EFBC22884147F29760E9A4D21758629FD6B507
SHA256 F2DB6838B734264FAB79D24E5F96A21E6528073360A8DAAA8D7EFB8BC5D5EDB4
SHA384 ABB77C1E0211731C7EEBA0EB75A797AD7F5D75C37C0621182BFBEF4AC26BCEB13B42398618B8B03D614696A137541223
SHA512 E6E4A4EBF230164982B697FC6B60D2C8EA186D6464CE6E10BFE213AA5FF664C4ED235DFD4975FB54289667902809E43E11D92BA35E4A8100D2F331CD910565FE
SSDEEP 1536:aKNdpomp1GEmrvoHAUd4r6LjAD61njRyyrz+mfKQTzBNer+CE+Ge+eKlPj8:4i1HAUGI1nk36rer+CE+Gdw
IMP 4CDC00ED05B5E2753EAAEC1DEEF7901B
PESHA1 C3AC9B409157B7279C061D794B9DFA5828CFBFCC
PE256 AA0AA8EA3C3F048F6592E20941C86CD404B736F2B59308B9906AA70845310E32

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\apppatch\DirectXApps_FOD.sdb File
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SystemResources\twinui.dll.mun File
(R-D) C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
(RWD) C:\Windows\Fonts\seguisym.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\OpenWith.exe
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/f2db6838b734264fab79d24e5f96a21e6528073360a8daaa8d7efb8bc5d5edb4/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 52
C:\windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 47
C:\Windows\system32\OpenWith.exe 50
C:\WINDOWS\system32\OpenWith.exe 29
C:\WINDOWS\system32\OpenWith.exe 38
C:\Windows\system32\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 46
C:\windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 41
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 38
C:\WINDOWS\SysWOW64\OpenWith.exe 44
C:\WINDOWS\SysWOW64\OpenWith.exe 41

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.