{
	"id": "625472c3-0035-4c17-9660-307104d9e682",
	"created_at": "2026-04-06T00:18:55.819458Z",
	"updated_at": "2026-04-10T13:12:04.548303Z",
	"deleted_at": null,
	"sha1_hash": "bb293fb47507ec7e69458712eec481f26f7e05e0",
	"title": "samlib.dll | SAM Library DLL",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100211,
	"plain_text": "samlib.dll | SAM Library DLL\r\nArchived: 2026-04-05 19:09:04 UTC\r\nsamlib.dllPermalink\r\nFile Path: C:\\Windows\\SysWOW64\\samlib.dll\r\nDescription: SAM Library DLL\r\nHashesPermalink\r\nType Hash\r\nMD5 0BDF6351009F6EBA5BA7E886F23263B1\r\nSHA1 3EA88E1819546E538E050266CDE6AA4CDB22B2ED\r\nSHA256 328B221FF7E37C6F58EF341CEE533167E499A7239450088180662DEF162D7302\r\nSHA384 80E341D31AEFC8B5641F8E0EC54E9E9350184844F7DA9D10F4A0A65CFE9AFB9EB2C5290F5626D1774278C62905039368\r\nSHA512 8A09E07427DF858B6D587D9E0B5F9CC605CBFCCAAECDBB2C0D4EE02A4E7746321F54DCB84B6642C7A622A14A76C2445374AD24E234C5FBA81122\r\nSSDEEP 1536:T7bzVo2O9ij5TA+BMzkHMvA/uvcx9VzT:P3V5OwDA7cxfz\r\nIMP E6A213B654988D6519F1E7E49085E263\r\nPESHA1 A6E178DE3ACCF1C20889B0BAB3779972964B6548\r\nPE256 0F1085F695367C9E756FC8919F55AECB392E75F23DA268ADE81BFD1EF03F548D\r\nDLL Exports:Permalink\r\nFunction Name Ordinal Type\r\nSamQueryDisplayInformation 38 Exported Function\r\nSamQueryInformationAlias 39 Exported Function\r\nSamOpenUser 36 Exported Function\r\nSamPerformGenericOperation 37 Exported Function\r\nSamQueryInformationUser 42 Exported Function\r\nSamQueryLocalizableAccountsInDomain 43 Exported Function\r\nSamQueryInformationDomain 40 Exported Function\r\nSamQueryInformationGroup 41 Exported Function\r\nSamOpenGroup 35 Exported Function\r\nSamLookupDomainInSamServer 29 Exported Function\r\nSamLookupIdsInDomain 30 Exported Function\r\nSamiSetDSRMPasswordOWF 69 Exported Function\r\nSamiSyncDSRMPasswordFromAccount 70 Exported Function\r\nSamOpenAlias 33 Exported Function\r\nSamOpenDomain 34 Exported Function\r\nSamLookupNamesInDomain 32 Exported Function\r\nhttps://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html\r\nPage 1 of 4\n\nFunction Name Ordinal Type\r\nSamLookupNamesInDomain2 31 Exported Function\r\nSamQuerySecurityObject 44 Exported Function\r\nSamSetSecurityObject 56 Exported Function\r\nSamShutdownSamServer 57 Exported Function\r\nSamSetInformationUser 54 Exported Function\r\nSamSetMemberAttributesOfGroup 55 Exported Function\r\nSamUnregisterObjectChangeNotification 60 Exported Function\r\nSamValidatePassword 61 Exported Function\r\nSamTestPrivateFunctionsDomain 58 Exported Function\r\nSamTestPrivateFunctionsUser 59 Exported Function\r\nSamSetInformationGroup 53 Exported Function\r\nSamRemoveMemberFromForeignDomain 47 Exported Function\r\nSamRemoveMemberFromGroup 48 Exported Function\r\nSamRegisterObjectChangeNotification 45 Exported Function\r\nSamRemoveMemberFromAlias 46 Exported Function\r\nSamSetInformationAlias 51 Exported Function\r\nSamSetInformationDomain 52 Exported Function\r\nSamRemoveMultipleMembersFromAlias 49 Exported Function\r\nSamRidToSid 50 Exported Function\r\nSamCreateUser2InDomain 12 Exported Function\r\nSamCreateUserInDomain 13 Exported Function\r\nSamCreateAliasInDomain 10 Exported Function\r\nSamCreateGroupInDomain 11 Exported Function\r\nSamDeleteUser 16 Exported Function\r\nSamEnumerateAliasesInDomain 17 Exported Function\r\nSamDeleteAlias 14 Exported Function\r\nSamDeleteGroup 15 Exported Function\r\nSamConnectWithCreds 9 Exported Function\r\nSamAddMemberToGroup 3 Exported Function\r\nSamAddMultipleMembersToAlias 4 Exported Function\r\nOnMachineUILanguageInit 1 Exported Function\r\nSamAddMemberToAlias 2 Exported Function\r\nSamCloseHandle 7 Exported Function\r\nSamConnect 8 Exported Function\r\nSamChangePasswordUser 6 Exported Function\r\nhttps://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html\r\nPage 2 of 4\n\nFunction Name Ordinal Type\r\nSamChangePasswordUser2 5 Exported Function\r\nSamEnumerateDomainsInSamServer 18 Exported Function\r\nSamiChangePasswordUser 64 Exported Function\r\nSamiChangePasswordUser2 63 Exported Function\r\nSamGetMembersInGroup 28 Exported Function\r\nSamiChangeKeys 62 Exported Function\r\nSamiSetBootKeyInformation 67 Exported Function\r\nSamiSetDSRMPassword 68 Exported Function\r\nSamiEncryptPasswords 65 Exported Function\r\nSamiLmChangePasswordUser 66 Exported Function\r\nSamGetMembersInAlias 27 Exported Function\r\nSamEnumerateUsersInDomain2 20 Exported Function\r\nSamFreeMemory 22 Exported Function\r\nSamEnumerateGroupsInDomain 19 Exported Function\r\nSamEnumerateUsersInDomain 21 Exported Function\r\nSamGetDisplayEnumerationIndex 25 Exported Function\r\nSamGetGroupsForUser 26 Exported Function\r\nSamGetAliasMembership 23 Exported Function\r\nSamGetCompatibilityMode 24 Exported Function\r\nSignaturePermalink\r\nStatus: Signature verified.\r\nSerial: 3300000266BD1580EFA75CD6D3000000000266\r\nThumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840\r\nIssuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,\r\nC=US\r\nSubject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\r\nOriginal Filename: SAMLib.DLL\r\nProduct Name: Microsoft Windows Operating System\r\nCompany Name: Microsoft Corporation\r\nFile Version: 10.0.19041.1 (WinBuild.160101.0800)\r\nProduct Version: 10.0.19041.1\r\nLanguage: English (United States)\r\nLegal Copyright: Microsoft Corporation. All rights reserved.\r\nMachine Type: 32-bit\r\nFile ScanPermalink\r\nVirusTotal Detections: 0/71\r\nVirusTotal Link:\r\nhttps://www.virustotal.com/gui/file/328b221ff7e37c6f58ef341cee533167e499a7239450088180662def162d7302/detection/\r\nPossible MisusePermalink\r\nhttps://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html\r\nPage 3 of 4\n\nThe following table contains possible examples of samlib.dll being misused. While samlib.dll is not inherently\r\nmalicious, its legitimate functionality can be abused for malicious purposes.\r\nSource Source File Example License\r\nsigma image_load_mimikatz_inmemory_detection.yml - 'samlib.dll' DRL 1.0\r\nsigma image_load_susp_image_load.yml\r\ndescription: Detects Loading of\r\nsamlib.dll, WinSCard.dll from\r\nuntypical process e.g. through process\r\nhollowing by Mimikatz\r\nDRL 1.0\r\nsigma image_load_susp_image_load.yml - '\\samlib.dll' DRL 1.0\r\natomic-red-team\r\nT1003.006.md\r\n\u003cblockquote\u003eAdversaries may attempt to\r\naccess credentials and other sensitive\r\ninformation by abusing a Windows\r\nDomain Controller’s application\r\nprogramming interface (API)(Citation:\r\nMicrosoft DRSR Dec 2017) (Citation:\r\nMicrosoft GetNCCChanges) (Citation:\r\nSamba DRSUAPI) (Citation: Wine API\r\nsamlib.dll) to simulate the replication\r\nprocess from a remote domain controller\r\nusing a technique called DCSync.\r\nMIT\r\nLicense.\r\n© 2018\r\nRed\r\nCanary\r\nMIT License. Copyright (c) 2020-2021 Strontic.\r\nSource: https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html\r\nhttps://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"
	],
	"report_names": [
		"samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434735,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb293fb47507ec7e69458712eec481f26f7e05e0.pdf",
		"text": "https://archive.orkl.eu/bb293fb47507ec7e69458712eec481f26f7e05e0.txt",
		"img": "https://archive.orkl.eu/bb293fb47507ec7e69458712eec481f26f7e05e0.jpg"
	}
}