WinSCard.dll

  • File Path: C:\Windows\system32\WinSCard.dll
  • Description: Microsoft Smart Card API

Hashes

Type Hash
MD5 11F8E50A4BBAE1A645EB7D2DA4D319B9
SHA1 7C38994AF98907DDBD544FCB2FDFD8595CA97805
SHA256 22726916521BDEE1075CEDBBCE5EEF60AECA073AA6265F686BD6C24C294398E5
SHA384 53A19FB5E93CEC95FC4CA666C1918BBC2EA1A70B72096533D3B42F75283FAD146FFCCCB4F954C6346E5D3EE529103023
SHA512 4F0CF35CFB605C8553197940D46C9F77C8BE95FE76873BE033C8488F28D5046BD61A2E1516E37A5EE683741524CBB39C5A26FB4E5CC5576DABB960451EF1AD2B
SSDEEP 6144:ROAFqxvQhLbJhYSeQlaGLpyVje0T0gUc/02oxGW95:kAFqxvq3XgqpHeUoW9
IMP 35E4FED4D4FD8961F3E5EE53CC15915E
PESHA1 A3F96D8E653A90DC10E443A218C074259AD74F00
PE256 D1DBBFF0014068F7CA8BE3E33F726E4C9EBEFB78FBF7B7B384E47707941E0702

DLL Exports:

Function Name Ordinal Type
SCardListReadersWithDeviceInstanceIdA 56 Exported Function
SCardListReadersWithDeviceInstanceIdW 57 Exported Function
SCardListReadersW 55 Exported Function
SCardListReaderGroupsW 53 Exported Function
SCardListReadersA 54 Exported Function
SCardLocateCardsW 61 Exported Function
SCardPciRaw 3 Exported Function
SCardLocateCardsByATRW 60 Exported Function
SCardLocateCardsA 58 Exported Function
SCardLocateCardsByATRA 59 Exported Function
SCardIntroduceReaderW 46 Exported Function
SCardIsValidContext 47 Exported Function
SCardIntroduceReaderGroupW 45 Exported Function
SCardIntroduceReaderA 43 Exported Function
SCardIntroduceReaderGroupA 44 Exported Function
SCardListInterfacesW 51 Exported Function
SCardListReaderGroupsA 52 Exported Function
SCardListInterfacesA 50 Exported Function
SCardListCardsA 48 Exported Function
SCardListCardsW 49 Exported Function
SCardSetCardTypeProviderNameW 71 Exported Function
SCardState 72 Exported Function
SCardSetCardTypeProviderNameA 70 Exported Function
SCardRemoveReaderFromGroupW 68 Exported Function
SCardSetAttrib 69 Exported Function
SCardWriteCacheA 76 Exported Function
SCardWriteCacheW 77 Exported Function
SCardTransmit 75 Exported Function
SCardStatusA 73 Exported Function
SCardStatusW 74 Exported Function
SCardReadCacheW 63 Exported Function
SCardReconnect 64 Exported Function
SCardReadCacheA 62 Exported Function
SCardPciT0 4 Exported Function
SCardPciT1 5 Exported Function
SCardReleaseStartedEvent 66 Exported Function
SCardRemoveReaderFromGroupA 67 Exported Function
SCardReleaseNewReaderEvent 7 Exported Function
SCardReleaseAllEvents 6 Exported Function
SCardReleaseContext 65 Exported Function
SCardControl 16 Exported Function
SCardDisconnect 17 Exported Function
SCardConnectW 15 Exported Function
SCardCancel 13 Exported Function
SCardConnectA 14 Exported Function
SCardForgetCardTypeW 21 Exported Function
SCardForgetReaderA 22 Exported Function
SCardForgetCardTypeA 20 Exported Function
SCardEndTransaction 18 Exported Function
SCardEstablishContext 19 Exported Function
g_rgSCardT1Pci 80 Exported Function
SCardAccessNewReaderEvent 2 Exported Function
g_rgSCardT0Pci 79 Exported Function
ClassInstall32 1 Exported Function
g_rgSCardRawPci 78 Exported Function
SCardAudit 11 Exported Function
SCardBeginTransaction 12 Exported Function
SCardAddReaderToGroupW 10 Exported Function
SCardAccessStartedEvent 8 Exported Function
SCardAddReaderToGroupA 9 Exported Function
SCardGetReaderIconA 36 Exported Function
SCardGetReaderIconW 37 Exported Function
SCardGetReaderDeviceInstanceIdW 35 Exported Function
SCardGetProviderIdW 33 Exported Function
SCardGetReaderDeviceInstanceIdA 34 Exported Function
SCardIntroduceCardTypeA 41 Exported Function
SCardIntroduceCardTypeW 42 Exported Function
SCardGetTransmitCount 40 Exported Function
SCardGetStatusChangeA 38 Exported Function
SCardGetStatusChangeW 39 Exported Function
SCardFreeMemory 26 Exported Function
SCardGetAttrib 27 Exported Function
SCardForgetReaderW 25 Exported Function
SCardForgetReaderGroupA 23 Exported Function
SCardForgetReaderGroupW 24 Exported Function
SCardGetDeviceTypeIdW 31 Exported Function
SCardGetProviderIdA 32 Exported Function
SCardGetDeviceTypeIdA 30 Exported Function
SCardGetCardTypeProviderNameA 28 Exported Function
SCardGetCardTypeProviderNameW 29 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winscard.dll.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/22726916521bdee1075cedbbce5eef60aeca073aa6265f686bd6c24c294398e5/detection/

Possible Misuse

The following table contains possible examples of WinSCard.dll being misused. While WinSCard.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_susp_image_load.yml description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz DRL 1.0
sigma sysmon_susp_image_load.yml - '*\WinSCard.dll' DRL 1.0
malware-ioc rtm WinSCard.dll © ESET 2014-2018
signature-base crime_shifu_trojan.yar $s5 = “WinSCard.dll” fullword ascii /* Goodware String - occured 83 times */ CC BY-NC 4.0

MIT License. Copyright (c) 2020 Strontic.