OpenWith.exe

  • File Path: C:\Windows\system32\OpenWith.exe
  • Description: Pick an app

Hashes

Type Hash
MD5 FEAEEC585FEA59A316DDDD6C8505DA8D
SHA1 6E075F557DD34F8A7BBA911FFA972279414EAF66
SHA256 E9F8EBA1F42F60AACEC65BC346AF51A649F8C9BF625AB9493F17D98F4C6C22D9
SHA384 E72B5A43CB8E3188B34F76D8628F32A3DBE37041023FE59B463361CB0AA1A24F061ECCE370497AED10E5379CE8B1487E
SHA512 F8AAA2386D37C6028BA524F76997698DED4231762408EAEFC667A999E17566EB47C6D01C36FE37B59C7EC5D5D4CF5B20B220F526A9147C7FA362D408E332C670
SSDEEP 1536:PhuNoJDGys4JLd9P14GqBaUfKQTzBNer+CE+Ge+JPVW:fhFXd7qMIrer+CE+GXNW

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OpenWith.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\OpenWith.exe 44
C:\windows\system32\OpenWith.exe 49
C:\Windows\system32\OpenWith.exe 44
C:\Windows\system32\OpenWith.exe 46
C:\WINDOWS\system32\OpenWith.exe 46
C:\windows\SysWOW64\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 43
C:\Windows\SysWOW64\OpenWith.exe 54
C:\Windows\SysWOW64\OpenWith.exe 44
C:\WINDOWS\SysWOW64\OpenWith.exe 47

Possible Misuse

The following table contains possible examples of OpenWith.exe being misused. While OpenWith.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_openwith.yml title: OpenWith.exe Executes Specified Binary DRL 1.0
sigma win_susp_openwith.yml description: The OpenWith.exe executes other binary DRL 1.0
sigma win_susp_openwith.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml DRL 1.0
sigma win_susp_openwith.yml Image\|endswith: '\OpenWith.exe' DRL 1.0
sigma win_susp_openwith.yml - Legitimate use of OpenWith.exe by legitimate user DRL 1.0
LOLBAS Openwith.yml Name: Openwith.exe  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\test.hta  
LOLBAS Openwith.yml - Command: OpenWith.exe /c C:\testing.msi  
LOLBAS Openwith.yml - c:\windows\system32\Openwith.exe  
LOLBAS Openwith.yml - c:\windows\sysWOW64\Openwith.exe  

MIT License. Copyright (c) 2020-2021 Strontic.