mshtml.dll

  • File Path: C:\Windows\SysWOW64\mshtml.dll
  • Description: Microsoft (R) HTML Viewer

Hashes

Type Hash
MD5 DF00815E65CABF70A7D442EEFFB50E0D
SHA1 25ADD2135E6DA6DBB42C61BAC99CDBE348B8D574
SHA256 47DDAA6888E7DF9490DA5FA3A15E9F6CAC38BAB927AEE810D0DB5BAEABBD82EA
SHA384 712223892B9428265728E65A9A9C3068A01387E40C48A8DDC386656AF73B2CDDED66565BC4D4F2DB127A43E8F1E42E85
SHA512 41D90C7D32136C45466A7575096206FDBFB9033AED641E2F31B785B2B099192DFC34959014744D7B66A1A98029EF2CCC112517679DD4EC527588F2D3C3E4FF88
SSDEEP 393216:IKCBkkSvQLbt6jSuHfH9Gx5e7iemV+iUUXi1PDq7voB:VDkSvObt6jJ91eVXNkPm7w
IMP 78CA0B0D2E6DF42028B3B7D22A2FEBA4
PESHA1 7154E7EC1AB11D138B3E51CAA25A20FA7AE017B9
PE256 F58C995A56CB553B4CA47FAC961B019B88A1E5C77838438A9E824E4783D166EB

DLL Exports:

Function Name Ordinal Type
RunHTMLApplication 135 Exported Function
ShowHTMLDialog 136 Exported Function
PrintHTML 133 Exported Function
InitializeLocalHtmlEngine 119 Exported Function
MatchExactGetIDsOfNames 132 Exported Function
ShowHTMLDialogEx 137 Exported Function
TravelLogStgCreateInstance 142 Exported Function
UninitializeLocalHtmlEngine 143 Exported Function
TravelLogCreateInstance 141 Exported Function
ShowModalDialog 139 Exported Function
ShowModelessHTMLDialog 140 Exported Function
CreateHTMLPropertyPage 111 Exported Function
DllCanUnloadNow 112 Exported Function
CreateCoreWebView 110 Exported Function
ClearPhishingFilterData 108 Exported Function
ConvertAndEscapePostData 109 Exported Function
DllEnumClassObjects 113 Exported Function
IEIsXMLNSRegistered 117 Exported Function
IERegisterXMLNS 118 Exported Function
GetWebPlatformObject 116 Exported Function
DllGetClassObject 114 Exported Function
GetColorValueFromString 115 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSHTML.DLL
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.508 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.508
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/47ddaa6888e7df9490da5fa3a15e9f6cac38bab927aee810d0db5baeabbd82ea/detection/

Possible Misuse

The following table contains possible examples of mshtml.dll being misused. While mshtml.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_rundll32_activity.yml - 'mshtml.dll' DRL 1.0
sigma registry_event_vbs_payload_stored.yml - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' DRL 1.0
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");  
LOLBAS Mshtml.yml Name: Mshtml.dll  
LOLBAS Mshtml.yml - Command: rundll32.exe Mshtml.dll,PrintHTML "C:\temp\calc.hta"  
LOLBAS Mshtml.yml - Path: c:\windows\system32\mshtml.dll  
LOLBAS Mshtml.yml - Path: c:\windows\syswow64\mshtml.dll  
LOLBAS Mshtml.yml - Link: https://windows10dll.nirsoft.net/mshtml_dll.html  
signature-base apt_tidepool.yar $x2 = “C:\PROGRA~2\IEHelper\mshtml.dll” fullword wide CC BY-NC 4.0
signature-base apt_tidepool.yar $x3 = “C:\DOCUME~1\ALLUSE~1\IEHelper\mshtml.dll” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.