osk.exe

  • File Path: C:\Windows\system32\osk.exe
  • Description: Accessibility On-Screen Keyboard

Screenshot

osk.exe

Hashes

Type Hash
MD5 745F2DF5BEED97B8C751DF83938CB418
SHA1 2F9FC33B1BF28E0F14FD75646A7B427DDBE14D25
SHA256 F67EF6E31FA0EAED44BFBAB5B908BE06B56CBC7D5A16AB2A72334D91F2BB6A51
SHA384 E8BD7ADCEB80C997212654D1EE47EE169B353E76C7B9ACA08ED61D367CB7E183C18C6E961F50EC640CB8613108D4BDFB
SHA512 2125D021E6F45A81BD75C9129F4B098AD9AA15C25D270051F4DA42458A9737BFF44D6ADF17AA1F2547715D159FB621829F7CD3B9D42F1521C919549CC7DEB228
SSDEEP 6144:vjEuy1vvndibBecaV3ORc1OcvH3AdKy9HGeofJgDEvr6slnCUGw/xIRLtxIRLuoR:vHCv/dmBeV3OrjmNwzaoo
IMP 6AEB800FEEB9D418D3E47935AE3AB427
PESHA1 34FD6C75A406A40527A00EF99637D0C884123AB4
PE256 8D30B06ACAB340243D6265EDFB352153B962584F720947A93C6CEB33E31EE870

Runtime Data

Window Title:

On-Screen Keyboard

Open Handles:

Path Type
(R–) C:\Windows\SKB\LanguageModels\lm.en.dat File
(R–) C:\Windows\SKB\LanguageModels\lm.en-grammar.dat File
(R–) C:\Windows\SKB\LanguageModels\lm.en-US.dat File
(R-D) C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui File
(R-D) C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\osk.exe.mui File
(R-D) C:\Windows\System32\en-US\wdmaud.drv.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.685_none_faeca4db76168538 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\osk.exe
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: osk.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\osk.exe 50
C:\WINDOWS\system32\osk.exe 68
C:\WINDOWS\system32\osk.exe 65
C:\Windows\system32\osk.exe 72
C:\Windows\system32\osk.exe 66
C:\windows\SysWOW64\osk.exe 63
C:\Windows\SysWOW64\osk.exe 69

Possible Misuse

The following table contains possible examples of osk.exe being misused. While osk.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_wmp.yml TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe' DRL 1.0
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'osk.exe' DRL 1.0
sigma proc_creation_win_stickykey_like_backdoor.yml - 'osk.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml Image: 'C:\Program Files\Windows Media Player\osk.exe' DRL 1.0
sigma registry_event_stickykey_like_backdoor.yml - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' DRL 1.0
sigma registry_event_uac_bypass_wmp.yml TargetObject\|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' DRL 1.0
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
LOLBAS Wmic.yml Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.  
atomic-red-team T1546.008.md * On-Screen Keyboard: C:\Windows\System32\osk.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary
signature-base thor_inverse_matches.yar description = “Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “osk.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.