mscoree.dll

  • File Path: C:\Windows\system32\mscoree.dll
  • Description: Microsoft .NET Runtime Execution Engine

Hashes

Type Hash
MD5 D5971EF71DE1BDD46D537203ABFCC756
SHA1 CFEF8F0BA040939B87B74F101970A6BBEB5DA15F
SHA256 8828DE042D008783BA5B31C82935A3ED38D5996927C3399B3E1FC6FE723FC84E
SHA384 25EA94FAB05FED6C208FA2CF0474151A0BABB962F6F7B788F668FC2487F966BF0827E58C2911D290F7A2640AAE4549D7
SHA512 AE0B37DD3B99E1F277FDDB540F866AFF7DDDD534C2A0FC8440191A28686D7AA2C2BE6235E8248CFBE528566EDA80F6458BF95A875EC900C9524DE32669D0174A
SSDEEP 6144:RWyspeujmE/A/Gvir5LGYB1ZwcLJiiEc7IkSuILmPkn28es1:pkeu1AuwaYXCVg4np1
IMP 65F23EFA1EB51A5DAAB399BFAA840074
PESHA1 413DFE371BA8AD264D872050E0B86D3C82C8E6DA
PE256 0C5A829E5B2CE462A868866E950F1BDBC88D884577D69D0AB130BC1A04986777

DLL Exports:

Function Name Ordinal Type
MetaDataGetDispenser 99 Exported Function
ND_CopyObjDst 100 Exported Function
ND_CopyObjSrc 101 Exported Function
LogHelp_TerminateOnAssert 35 Exported Function
LockClrVersion 98 Exported Function
LogHelp_LogAssert 33 Exported Function
LogHelp_NoGuiOnAssert 34 Exported Function
ND_RI2 102 Exported Function
ND_WI4 107 Exported Function
ND_WI8 108 Exported Function
ND_WU1 109 Exported Function
ND_WI2 106 Exported Function
ND_RI4 103 Exported Function
ND_RI8 104 Exported Function
ND_RU1 105 Exported Function
GetVersionFromProcess 90 Exported Function
GetXMLElement 91 Exported Function
GetXMLElementAttribute 92 Exported Function
GetTokenForVTableEntry 32 Exported Function
GetRequestedRuntimeVersionForCLSID 89 Exported Function
GetStartupFlags 30 Exported Function
GetTargetForVTableEntry 31 Exported Function
GetXMLObject 93 Exported Function
LoadLibraryWithPolicyShim 96 Exported Function
LoadStringRC 22 Exported Function
LoadStringRCEx 97 Exported Function
LoadLibraryShim 95 Exported Function
IEE 94 Exported Function
InitErrors 17 Exported Function
InitSSAutoEnterThread 19 Exported Function
OpenCtrs 36 Exported Function
StrongNameSignatureGeneration 126 Exported Function
StrongNameSignatureGenerationEx 127 Exported Function
StrongNameSignatureSize 128 Exported Function
StrongNameKeyInstall 125 Exported Function
StrongNameKeyDelete 122 Exported Function
StrongNameKeyGen 123 Exported Function
StrongNameKeyGenEx 124 Exported Function
StrongNameSignatureVerification 129 Exported Function
StrongNameTokenFromPublicKey 134 Exported Function
TranslateSecurityAttributes 135 Exported Function
UpdateError 20 Exported Function
StrongNameTokenFromAssemblyEx 133 Exported Function
StrongNameSignatureVerificationEx 130 Exported Function
StrongNameSignatureVerificationFromImage 131 Exported Function
StrongNameTokenFromAssembly 132 Exported Function
RuntimeOpenImage 113 Exported Function
RuntimeOSHandle 112 Exported Function
RuntimeReleaseHandle 114 Exported Function
RunDll32ShimW 111 Exported Function
PostError 18 Exported Function
ReOpenMetaDataWithMemory 23 Exported Function
ReOpenMetaDataWithMemoryEx 110 Exported Function
SetTargetForVTableEntry 37 Exported Function
StrongNameGetBlobFromImage 119 Exported Function
StrongNameGetPublicKey 120 Exported Function
StrongNameHashSize 121 Exported Function
StrongNameGetBlob 118 Exported Function
StrongNameCompareAssemblies 115 Exported Function
StrongNameErrorInfo 116 Exported Function
StrongNameFreeBuffer 117 Exported Function
GetRequestedRuntimeVersion 88 Exported Function
CorBindToRuntimeHost 52 Exported Function
CorDllMainWorker 26 Exported Function
CorExitProcess 53 Exported Function
CorBindToRuntimeEx 51 Exported Function
CorBindToRuntimeByCfg 48 Exported Function
CorBindToRuntimeByPath 49 Exported Function
CorBindToRuntimeByPathEx 50 Exported Function
CorGetSvc 54 Exported Function
CoUninitializeEE 45 Exported Function
CreateConfigStream 58 Exported Function
CreateDebuggingInterfaceFromVersion 59 Exported Function
CoUninitializeCor 44 Exported Function
CorIsLatestSvc 55 Exported Function
CorMarkThreadInThreadPool 56 Exported Function
CorTickleSvc 57 Exported Function
_CorValidateImage 140 Exported Function
CallFunctionShim 39 Exported Function
CloseCtrs 21 Exported Function
_CorImageUnloading 139 Exported Function
_CorDllMain 136 Exported Function
_CorExeMain 137 Exported Function
_CorExeMain2 138 Exported Function
CLRCreateInstance 38 Exported Function
CollectCtrs 25 Exported Function
CorBindToCurrentRuntime 46 Exported Function
CorBindToRuntime 47 Exported Function
CoInitializeEE 43 Exported Function
ClrCreateManagedInstance 40 Exported Function
CoEEShutDownCOM 41 Exported Function
CoInitializeCor 42 Exported Function
CreateInterface 60 Exported Function
GetHashFromFileW 79 Exported Function
GetHashFromHandle 80 Exported Function
GetHostConfigurationFile 81 Exported Function
GetHashFromFile 78 Exported Function
GetHashFromAssemblyFile 75 Exported Function
GetHashFromAssemblyFileW 76 Exported Function
GetHashFromBlob 77 Exported Function
GetMetaDataInternalInterface 82 Exported Function
GetProcessExecutableHeap 29 Exported Function
GetRealProcAddress 86 Exported Function
GetRequestedRuntimeInfo 87 Exported Function
GetPrivateContextsPerfCounters 28 Exported Function
GetMetaDataInternalInterfaceFromPublic 83 Exported Function
GetMetaDataPublicInterfaceFromInternal 84 Exported Function
GetPermissionRequests 85 Exported Function
EEDllGetClassObjectFromClass 27 Exported Function
EEDllRegisterServer 65 Exported Function
EEDllUnregisterServer 66 Exported Function
DllUnregisterServer 64 Exported Function
DllCanUnloadNow 61 Exported Function
DllGetClassObject 62 Exported Function
DllRegisterServer 63 Exported Function
GetAssemblyMDImport 67 Exported Function
GetCORSystemDirectory 71 Exported Function
GetCORVersion 72 Exported Function
GetFileVersion 74 Exported Function
GetCORRootDirectory 70 Exported Function
GetCLRMetaHost 68 Exported Function
GetCompileInfo 73 Exported Function
GetCORRequiredVersion 69 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mscoree.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/8828de042d008783ba5b31c82935a3ed38d5996927c3399b3e1fc6fe723fc84e/detection/

Possible Misuse

The following table contains possible examples of mscoree.dll being misused. While mscoree.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\mscoree.dll' DRL 1.0
signature-base apt_poisonivy_gen3.yar $s3 = “mscoree.dll” fullword wide CC BY-NC 4.0
signature-base apt_solarwinds_sunburst.yar uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports(“mscoree.dll”,”_CorDllMain”) and $httpmodule and $context and all of ($compile) and all of ($string) CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s2 = “mscoree.dll” fullword wide CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar $s0 = “mscoree.dll” fullword nocase CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar $f0 = “mscoree.dll” fullword nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.