mscoree.dll

  • File Path: C:\Windows\SysWOW64\mscoree.dll
  • Description: Microsoft .NET Runtime Execution Engine

Hashes

Type Hash
MD5 3398E4051E8F4E2FF3CF0F365FA9238D
SHA1 E37695676AE23AE265E2E9110371DD93FCBD2078
SHA256 57EFA31B9F0116E46AB5E46C2E1764A79C507F751995DB2E1C8727BDCEB0C576
SHA384 97E8E9EA74D4B2F76048D1542A30A9E841D4C5027811CC61A512562E4451BE485C9AC83153648AEC6EF4D23D068FE9F0
SHA512 80C5EFEA369DCFC927F646E72FF9941AA64DA3AE4FA6704ADC0D5F0CAE2AC766458AFE83960EEF076287705764065080DDF20F9BB97E7C27F4F0874DD7187DC1
SSDEEP 6144:rvInJVClUZ0Xi+YZFa3KFXwB9KqjGdI0Jhy0U/A5ZdcUw05:rgJvZAi+YZF6A89Qd/h/U/A5HcUw05
IMP 47F306C12509ADBBC266F7DA43529A4D
PESHA1 C2AEC32673E66AEC3F85941B2997F6ECB240A176
PE256 0FD6F090C997F1A2EE9F89911CC9CE0D84A0E39E9E60E77EBA84C6CB06E1CA33

DLL Exports:

Function Name Ordinal Type
MetaDataGetDispenser 99 Exported Function
ND_CopyObjDst 100 Exported Function
ND_CopyObjSrc 101 Exported Function
LogHelp_TerminateOnAssert 35 Exported Function
LockClrVersion 98 Exported Function
LogHelp_LogAssert 33 Exported Function
LogHelp_NoGuiOnAssert 34 Exported Function
ND_RI2 102 Exported Function
ND_WI4 107 Exported Function
ND_WI8 108 Exported Function
ND_WU1 109 Exported Function
ND_WI2 106 Exported Function
ND_RI4 103 Exported Function
ND_RI8 104 Exported Function
ND_RU1 105 Exported Function
GetVersionFromProcess 90 Exported Function
GetXMLElement 91 Exported Function
GetXMLElementAttribute 92 Exported Function
GetTokenForVTableEntry 32 Exported Function
GetRequestedRuntimeVersionForCLSID 89 Exported Function
GetStartupFlags 30 Exported Function
GetTargetForVTableEntry 31 Exported Function
GetXMLObject 93 Exported Function
LoadLibraryWithPolicyShim 96 Exported Function
LoadStringRC 22 Exported Function
LoadStringRCEx 97 Exported Function
LoadLibraryShim 95 Exported Function
IEE 94 Exported Function
InitErrors 17 Exported Function
InitSSAutoEnterThread 19 Exported Function
OpenCtrs 36 Exported Function
StrongNameSignatureGeneration 126 Exported Function
StrongNameSignatureGenerationEx 127 Exported Function
StrongNameSignatureSize 128 Exported Function
StrongNameKeyInstall 125 Exported Function
StrongNameKeyDelete 122 Exported Function
StrongNameKeyGen 123 Exported Function
StrongNameKeyGenEx 124 Exported Function
StrongNameSignatureVerification 129 Exported Function
StrongNameTokenFromPublicKey 134 Exported Function
TranslateSecurityAttributes 135 Exported Function
UpdateError 20 Exported Function
StrongNameTokenFromAssemblyEx 133 Exported Function
StrongNameSignatureVerificationEx 130 Exported Function
StrongNameSignatureVerificationFromImage 131 Exported Function
StrongNameTokenFromAssembly 132 Exported Function
RuntimeOpenImage 113 Exported Function
RuntimeOSHandle 112 Exported Function
RuntimeReleaseHandle 114 Exported Function
RunDll32ShimW 111 Exported Function
PostError 18 Exported Function
ReOpenMetaDataWithMemory 23 Exported Function
ReOpenMetaDataWithMemoryEx 110 Exported Function
SetTargetForVTableEntry 37 Exported Function
StrongNameGetBlobFromImage 119 Exported Function
StrongNameGetPublicKey 120 Exported Function
StrongNameHashSize 121 Exported Function
StrongNameGetBlob 118 Exported Function
StrongNameCompareAssemblies 115 Exported Function
StrongNameErrorInfo 116 Exported Function
StrongNameFreeBuffer 117 Exported Function
GetRequestedRuntimeVersion 88 Exported Function
CorBindToRuntimeHost 52 Exported Function
CorDllMainWorker 26 Exported Function
CorExitProcess 53 Exported Function
CorBindToRuntimeEx 51 Exported Function
CorBindToRuntimeByCfg 48 Exported Function
CorBindToRuntimeByPath 49 Exported Function
CorBindToRuntimeByPathEx 50 Exported Function
CorGetSvc 54 Exported Function
CoUninitializeEE 45 Exported Function
CreateConfigStream 58 Exported Function
CreateDebuggingInterfaceFromVersion 59 Exported Function
CoUninitializeCor 44 Exported Function
CorIsLatestSvc 55 Exported Function
CorMarkThreadInThreadPool 56 Exported Function
CorTickleSvc 57 Exported Function
_CorValidateImage 140 Exported Function
CallFunctionShim 39 Exported Function
CloseCtrs 21 Exported Function
_CorImageUnloading 139 Exported Function
_CorDllMain 136 Exported Function
_CorExeMain 138 Exported Function
_CorExeMain2 137 Exported Function
CLRCreateInstance 38 Exported Function
CollectCtrs 25 Exported Function
CorBindToCurrentRuntime 46 Exported Function
CorBindToRuntime 47 Exported Function
CoInitializeEE 43 Exported Function
ClrCreateManagedInstance 40 Exported Function
CoEEShutDownCOM 41 Exported Function
CoInitializeCor 42 Exported Function
CreateInterface 60 Exported Function
GetHashFromFileW 79 Exported Function
GetHashFromHandle 80 Exported Function
GetHostConfigurationFile 81 Exported Function
GetHashFromFile 78 Exported Function
GetHashFromAssemblyFile 75 Exported Function
GetHashFromAssemblyFileW 76 Exported Function
GetHashFromBlob 77 Exported Function
GetMetaDataInternalInterface 82 Exported Function
GetProcessExecutableHeap 29 Exported Function
GetRealProcAddress 86 Exported Function
GetRequestedRuntimeInfo 87 Exported Function
GetPrivateContextsPerfCounters 28 Exported Function
GetMetaDataInternalInterfaceFromPublic 83 Exported Function
GetMetaDataPublicInterfaceFromInternal 84 Exported Function
GetPermissionRequests 85 Exported Function
EEDllGetClassObjectFromClass 27 Exported Function
EEDllRegisterServer 65 Exported Function
EEDllUnregisterServer 66 Exported Function
DllUnregisterServer 64 Exported Function
DllCanUnloadNow 61 Exported Function
DllGetClassObject 62 Exported Function
DllRegisterServer 63 Exported Function
GetAssemblyMDImport 67 Exported Function
GetCORSystemDirectory 71 Exported Function
GetCORVersion 72 Exported Function
GetFileVersion 74 Exported Function
GetCORRootDirectory 70 Exported Function
GetCLRMetaHost 68 Exported Function
GetCompileInfo 73 Exported Function
GetCORRequiredVersion 69 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mscoree.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/65
  • VirusTotal Link: https://www.virustotal.com/gui/file/57efa31b9f0116e46ab5e46c2e1764a79c507f751995db2e1c8727bdceb0c576/detection/

Possible Misuse

The following table contains possible examples of mscoree.dll being misused. While mscoree.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\mscoree.dll' DRL 1.0
signature-base apt_poisonivy_gen3.yar $s3 = “mscoree.dll” fullword wide CC BY-NC 4.0
signature-base apt_solarwinds_sunburst.yar uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports(“mscoree.dll”,”_CorDllMain”) and $httpmodule and $context and all of ($compile) and all of ($string) CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s2 = “mscoree.dll” fullword wide CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar $s0 = “mscoree.dll” fullword nocase CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar $f0 = “mscoree.dll” fullword nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.