OpenWith.exe

  • File Path: C:\WINDOWS\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 F1156D86892A581100107B8CDE2BF0AA
SHA1 3140AD2C66D28A2EBDE500D37FC30875F9EE4244
SHA256 29275C78478840089CDF68EF8F8CB9D7664A0946485184C5A158D3F3C1567CD4
SHA384 67E61F0D1A26BC636C0021E9476A3059C46B2CC4BA70EDB9627BF988827F7261E5922744587830A75841831CBC320B4C
SHA512 6B6419ABB567A047BAB4A75DEA0945B576C5864CD52C6B47A738900C8B40313D65DA4F9C449184CEC86394ED67B5FDE028B9C6F8C95373B9C21D9D04DF366A29
SSDEEP 1536:Q6jTeeo5xp0Tz9Ig9fHP05KQwDX8s4yyWhy0F/tfKQTzBNer+CE+Ge+AOPg:ArpiANwDLo49rer+CE+GqOY
IMP 3FA6E805902C422495850E0276B74DEF
PESHA1 29DB3F8705EABD7BA9424CCC43CE5345FCDE1F26
PE256 9DC790725E82754736341BE6B179FD522485DFA475FA9758621A0D88DE28ED33

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\dui70.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\System32\en-US\OpenWith.exe.mui File
(R-D) C:\Windows\System32\en-US\shell32.dll.mui File
(R-D) C:\Windows\System32\en-US\twinui.dll.mui File
(R-D) C:\Windows\System32\en-US\Windows.UI.Immersive.dll.mui File
(R-D) C:\Windows\SystemResources\twinui.dll.mun File
(R-D) C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db File
(RWD) C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000018.db Section
\Sessions\2\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\OpenWith.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/29275c78478840089cdf68ef8f8cb9d7664a0946485184c5a158d3f3c1567cd4/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 43
C:\windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 38
C:\Windows\system32\OpenWith.exe 47
C:\WINDOWS\system32\OpenWith.exe 38
C:\WINDOWS\system32\OpenWith.exe 49
C:\Windows\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 46
C:\windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 40
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 43
C:\WINDOWS\SysWOW64\OpenWith.exe 44

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.