mshtml.dll

  • File Path: C:\Windows\system32\mshtml.dll
  • Description: Microsoft (R) HTML Viewer

Hashes

Type Hash
MD5 991FCF80CBA4226446464056FE2FD2A4
SHA1 C33D63ED5D8808C7EBA161F5CE8F3341F49E1A54
SHA256 3D95FBA53ED28B7B87543ADFC7A9F48BDCBE7B48F245300B982CC07E4B2392C7
SHA384 11A415420FD50168685E639BD3CDFF51EABBBF74FE787A45E1D7B7C58D488113220010D65E97DC4C4FB198B9EDAE0A52
SHA512 89A6C502B331B5F6D6E88409EFDBDA00DC9CFA4773A4DCC6B6E2E8C2753721065FA86FEA83B76ACBA7AFDC5920F8C4264BDFEDD1527FFF27ADBE908B451234A0
SSDEEP 393216:UiKpqqF/1+TuSc3gIjZjq0vMfp7XaxPYFY5G:xKsX
IMP 15A68012EEC9EBBFE108955F80E80B99
PESHA1 7AD0B82DDE272882E8DC326F1EBC02340EB10F7B
PE256 55AE36F5903DDE91137CA90D541831A4199B59E56961E7B576EF2E0128CE6718

DLL Exports:

Function Name Ordinal Type
RunHTMLApplication 135 Exported Function
ShowHTMLDialog 136 Exported Function
PrintHTML 133 Exported Function
InitializeLocalHtmlEngine 119 Exported Function
MatchExactGetIDsOfNames 132 Exported Function
ShowHTMLDialogEx 137 Exported Function
TravelLogStgCreateInstance 142 Exported Function
UninitializeLocalHtmlEngine 143 Exported Function
TravelLogCreateInstance 141 Exported Function
ShowModalDialog 139 Exported Function
ShowModelessHTMLDialog 140 Exported Function
CreateHTMLPropertyPage 111 Exported Function
DllCanUnloadNow 112 Exported Function
CreateCoreWebView 110 Exported Function
ClearPhishingFilterData 108 Exported Function
ConvertAndEscapePostData 109 Exported Function
DllEnumClassObjects 113 Exported Function
IEIsXMLNSRegistered 117 Exported Function
IERegisterXMLNS 118 Exported Function
GetWebPlatformObject 116 Exported Function
DllGetClassObject 114 Exported Function
GetColorValueFromString 115 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSHTML.DLL.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/3d95fba53ed28b7b87543adfc7a9f48bdcbe7b48f245300b982cc07e4b2392c7/detection/

Possible Misuse

The following table contains possible examples of mshtml.dll being misused. While mshtml.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_rundll32_activity.yml - 'mshtml.dll' DRL 1.0
sigma registry_event_vbs_payload_stored.yml - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' DRL 1.0
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");  
LOLBAS Mshtml.yml Name: Mshtml.dll  
LOLBAS Mshtml.yml - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"  
LOLBAS Mshtml.yml - Path: c:\windows\system32\mshtml.dll  
LOLBAS Mshtml.yml - Path: c:\windows\syswow64\mshtml.dll  
LOLBAS Mshtml.yml - Link: https://windows10dll.nirsoft.net/mshtml_dll.html  
signature-base apt_tidepool.yar $x2 = “C:\PROGRA~2\IEHelper\mshtml.dll” fullword wide CC BY-NC 4.0
signature-base apt_tidepool.yar $x3 = “C:\DOCUME~1\ALLUSE~1\IEHelper\mshtml.dll” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.