OskSupport.dll

  • File Path: C:\Windows\system32\OskSupport.dll
  • Description: Microsoft On-Screen Keyboard Support Utilities

Hashes

Type Hash
MD5 6624033F22411924BEA3AD72E7487BB0
SHA1 64BB79C9A55B32AA1E7461396AE26E2F736FD3B2
SHA256 60A7D1EC0EAF1FA3368351942F6BFCD773101B569BA0F3FD986127500514F4E5
SHA384 2DA565F8DA5C13B23127AB92AB1944429CA61D2484FA1E9B45E9EA6FA201FB0976F50EE4425C639F7B283B2D88C44CA2
SHA512 BEEA62A414310F24F1067292C6D5558155EEF6E27B297008E33576E3A79CC58C6F3560D27E9BFAD304A8A51336B3912D0C5B08054BC94845781A72A6AF1C74F5
SSDEEP 96:ro9LwMDrjFmNSUK2QN6W91xm9d6ikeB65CYYkBhgPFl+TPgfEW9wp5Ww:b9Q4xW9/ETkLpRBhgPFl+jg8W9wp5W
IMP 4408417F6C79686F071742DE715AE577
PESHA1 0C5052285435235E7B3F42B06FB69129168A5BCF
PE256 05E54E2CB7A79750476CFD637455070A1DB6C6C6D83DF3B48055E907145C2ACA

DLL Exports:

Function Name Ordinal Type
UninitializeOSKSupport 2 Exported Function
InitializeOSKSupport 1 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: OskSupport.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/60a7d1ec0eaf1fa3368351942f6bfcd773101b569ba0f3fd986127500514f4e5/detection/

Possible Misuse

The following table contains possible examples of OskSupport.dll being misused. While OskSupport.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_wmp.yml description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml TargetFilename\|endswith: '\AppData\Local\Temp\OskSupport.dll' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) DRL 1.0
sigma registry_event_uac_bypass_wmp.yml description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) DRL 1.0
stockpile e99cce5c-cb7e-4a6e-8a09-1609a221b90a.yml name: duser/osksupport DLL Hijack Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.