OpenWith.exe

  • File Path: C:\WINDOWS\SysWOW64\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 FADC6187E347B4820DA5B907B45F6024
SHA1 C425C2C938ADCFFBD67CE794F6502C720BB107CC
SHA256 FFB5B7EDEE058645FABC99F1DABFCFD3AEAEF02CF0FE373F07CEA71966456626
SHA384 98A89046C021E7AEFBCF091875195E2B5B73FFECF6C42649B8880EA9059793366E927C0BEA6D8FEA959A64E4E4A51536
SHA512 23D223AF77F77B3D2866B7B5D242066EFE0C2A0DB0EC66370D6DD81029893464445C0AAFC3E5318F61E25FB3AB8BAB3DD3160ABE422124DE5FFCD36A8CA6C44F
SSDEEP 1536:9bnuqGDAcb+FBMhf+NaR50aimTtJrlyrFEEfKQTzBNer+CE+Ge+xEPTv:RRfyhf+mrc24rer+CE+GzED

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.693 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.693
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 38
C:\windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 43
C:\WINDOWS\system32\OpenWith.exe 41
C:\WINDOWS\system32\OpenWith.exe 46
C:\Windows\system32\OpenWith.exe 41
C:\Windows\system32\OpenWith.exe 47
C:\Windows\SysWOW64\OpenWith.exe 50
C:\windows\SysWOW64\OpenWith.exe 46
C:\Windows\SysWOW64\OpenWith.exe 47
C:\Windows\SysWOW64\OpenWith.exe 50
C:\Windows\SysWOW64\OpenWith.exe 49
C:\Windows\SysWOW64\OpenWith.exe 47
C:\WINDOWS\SysWOW64\OpenWith.exe 44

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage: 'C:\Windows\system32\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma proc_creation_win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma proc_creation_win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma proc_creation_win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.