offlinesam.dll

Description: Windows

Authors: © Microsoft Corporation. All rights reserved.

Version: 10.0.19041.3996

Architecture: 32-bit

Operating System: Windows NT

SHA256: 332195409853644f4c6b90b0926d8959

File Size: 237.5 KB

Uploaded At: Dec. 1, 2025, 8:02 a.m.

Views: 14

Security Warning

This file has been flagged as potentially dangerous.

Reason: Detected potentially dangerous functions used for process injection: OpenProcess

Exported Functions

  • SamOfflineAddMemberToAlias (Ordinal: 1, Address: 0xf0b0)
  • SamOfflineCloseHandle (Ordinal: 2, Address: 0xfa10)
  • SamOfflineConnect (Ordinal: 3, Address: 0xe5d0)
  • SamOfflineConnectExternal (Ordinal: 4, Address: 0xe780)
  • SamOfflineConnectForInstaller (Ordinal: 5, Address: 0xe6c0)
  • SamOfflineCreateAliasInDomain (Ordinal: 6, Address: 0xed10)
  • SamOfflineCreateUserInDomain (Ordinal: 7, Address: 0xf610)
  • SamOfflineDeleteAlias (Ordinal: 8, Address: 0xefc0)
  • SamOfflineDeleteUser (Ordinal: 9, Address: 0xf8b0)
  • SamOfflineEnumerateAliasesInDomain (Ordinal: 10, Address: 0xf310)
  • SamOfflineEnumerateDomainsInSamServer (Ordinal: 11, Address: 0xe890)
  • SamOfflineEnumerateUsersInDomain2 (Ordinal: 12, Address: 0xf410)
  • SamOfflineFreeMemory (Ordinal: 13, Address: 0xfb10)
  • SamOfflineGetMembersInAlias (Ordinal: 14, Address: 0xf250)
  • SamOfflineLookupDomainInSamServer (Ordinal: 15, Address: 0xe970)
  • SamOfflineLookupNamesInDomain (Ordinal: 16, Address: 0xeb40)
  • SamOfflineOpenAlias (Ordinal: 17, Address: 0xec20)
  • SamOfflineOpenDomain (Ordinal: 18, Address: 0xea40)
  • SamOfflineOpenUser (Ordinal: 19, Address: 0xf510)
  • SamOfflineQueryInformationAlias (Ordinal: 20, Address: 0xee30)
  • SamOfflineQueryInformationUser (Ordinal: 21, Address: 0xf720)
  • SamOfflineRemoveMemberFromAlias (Ordinal: 22, Address: 0xf190)
  • SamOfflineRidToSid (Ordinal: 23, Address: 0xf980)
  • SamOfflineSetInformationAlias (Ordinal: 24, Address: 0xeef0)
  • SamOfflineSetInformationUser (Ordinal: 25, Address: 0xf7f0)

Imported DLLs & Functions

api-ms-win-core-errorhandling-l1-1-0.dll
  • GetLastError (Address: 0x1001c028)
  • SetUnhandledExceptionFilter (Address: 0x1001c020)
  • UnhandledExceptionFilter (Address: 0x1001c024)
api-ms-win-core-file-l1-1-0.dll
  • GetFileAttributesW (Address: 0x1001c030)
api-ms-win-core-handle-l1-1-0.dll
  • CloseHandle (Address: 0x1001c038)
api-ms-win-core-heap-obsolete-l1-1-0.dll
  • LocalAlloc (Address: 0x1001c040)
  • LocalFree (Address: 0x1001c044)
api-ms-win-core-kernel32-legacy-l1-1-0.dll
  • WTSGetActiveConsoleSessionId (Address: 0x1001c04c)
api-ms-win-core-libraryloader-l1-1-0.dll
  • DisableThreadLibraryCalls (Address: 0x1001c05c)
  • FreeLibrary (Address: 0x1001c058)
  • LoadLibraryExW (Address: 0x1001c054)
api-ms-win-core-memory-l1-1-0.dll
  • VirtualAlloc (Address: 0x1001c064)
  • VirtualProtect (Address: 0x1001c06c)
  • VirtualQuery (Address: 0x1001c068)
api-ms-win-core-processthreads-l1-1-0.dll
  • GetCurrentProcess (Address: 0x1001c084)
  • GetCurrentProcessId (Address: 0x1001c078)
  • GetCurrentThreadId (Address: 0x1001c080)
  • OpenProcessToken (Address: 0x1001c088)
  • SetThreadStackGuarantee (Address: 0x1001c074)
  • TerminateProcess (Address: 0x1001c07c)
api-ms-win-core-processthreads-l1-1-1.dll
  • OpenProcess (Address: 0x1001c090)
api-ms-win-core-profile-l1-1-0.dll
  • QueryPerformanceCounter (Address: 0x1001c098)
api-ms-win-core-string-l1-1-0.dll
  • CompareStringEx (Address: 0x1001c0a0)
api-ms-win-core-synch-l1-1-0.dll
  • AcquireSRWLockExclusive (Address: 0x1001c0a8)
  • InitializeSRWLock (Address: 0x1001c0ac)
  • ReleaseSRWLockExclusive (Address: 0x1001c0b0)
api-ms-win-core-synch-l1-2-0.dll
  • Sleep (Address: 0x1001c0b8)
api-ms-win-core-sysinfo-l1-1-0.dll
  • GetSystemInfo (Address: 0x1001c0c4)
  • GetSystemTimeAsFileTime (Address: 0x1001c0c0)
  • GetTickCount (Address: 0x1001c0c8)
api-ms-win-eventing-classicprovider-l1-1-0.dll
  • GetTraceEnableFlags (Address: 0x1001c0e4)
  • GetTraceEnableLevel (Address: 0x1001c0d0)
  • GetTraceLoggerHandle (Address: 0x1001c0e0)
  • RegisterTraceGuidsW (Address: 0x1001c0dc)
  • TraceMessage (Address: 0x1001c0d4)
  • UnregisterTraceGuids (Address: 0x1001c0d8)
api-ms-win-security-base-l1-1-0.dll
  • DuplicateTokenEx (Address: 0x1001c0f8)
  • GetLengthSid (Address: 0x1001c0ec)
  • GetTokenInformation (Address: 0x1001c0f0)
  • IsValidSid (Address: 0x1001c0f4)
api-ms-win-security-cryptoapi-l1-1-0.dll
  • CryptAcquireContextA (Address: 0x1001c114)
  • CryptCreateHash (Address: 0x1001c110)
  • CryptDestroyHash (Address: 0x1001c104)
  • CryptGetHashParam (Address: 0x1001c10c)
  • CryptHashData (Address: 0x1001c100)
  • CryptReleaseContext (Address: 0x1001c108)
api-ms-win-security-lsalookup-l2-1-0.dll
  • LookupPrivilegeValueW (Address: 0x1001c11c)
api-ms-win-security-sddl-l1-1-0.dll
  • ConvertStringSidToSidW (Address: 0x1001c124)
bcrypt.dll
  • BCryptCloseAlgorithmProvider (Address: 0x1001c150)
  • BCryptCreateHash (Address: 0x1001c134)
  • BCryptDecrypt (Address: 0x1001c14c)
  • BCryptDestroyHash (Address: 0x1001c13c)
  • BCryptDestroyKey (Address: 0x1001c158)
  • BCryptEncrypt (Address: 0x1001c154)
  • BCryptFinishHash (Address: 0x1001c144)
  • BCryptGenerateSymmetricKey (Address: 0x1001c138)
  • BCryptGetProperty (Address: 0x1001c140)
  • BCryptHashData (Address: 0x1001c130)
  • BCryptOpenAlgorithmProvider (Address: 0x1001c148)
  • BCryptSetProperty (Address: 0x1001c12c)
CRYPTBASE.dll
  • SystemFunction001 (Address: 0x1001c008)
  • SystemFunction003 (Address: 0x1001c004)
  • SystemFunction036 (Address: 0x1001c000)
msvcrt.dll
  • _amsg_exit (Address: 0x1001c178)
  • _except_handler4_common (Address: 0x1001c168)
  • _initterm (Address: 0x1001c164)
  • _purecall (Address: 0x1001c16c)
  • _vsnwprintf (Address: 0x1001c18c)
  • _wcsicmp (Address: 0x1001c188)
  • _XcptFilter (Address: 0x1001c184)
  • free (Address: 0x1001c174)
  • malloc (Address: 0x1001c160)
  • memcmp (Address: 0x1001c180)
  • memcpy (Address: 0x1001c17c)
  • memmove (Address: 0x1001c170)
  • memset (Address: 0x1001c190)
ntdll.dll
  • DbgPrintEx (Address: 0x1001c1b4)
  • NtAdjustPrivilegesToken (Address: 0x1001c1e8)
  • NtClose (Address: 0x1001c1a0)
  • NtCreateKey (Address: 0x1001c1a8)
  • NtDeleteKey (Address: 0x1001c20c)
  • NtDeleteValueKey (Address: 0x1001c1f8)
  • NtDuplicateToken (Address: 0x1001c224)
  • NtFlushKey (Address: 0x1001c290)
  • NtLoadKey (Address: 0x1001c298)
  • NtOpenKey (Address: 0x1001c198)
  • NtOpenProcessToken (Address: 0x1001c228)
  • NtOpenThreadToken (Address: 0x1001c214)
  • NtQueryInformationToken (Address: 0x1001c218)
  • NtQueryKey (Address: 0x1001c210)
  • NtQuerySystemInformation (Address: 0x1001c220)
  • NtQuerySystemTime (Address: 0x1001c280)
  • NtQueryValueKey (Address: 0x1001c1ec)
  • NtSetInformationThread (Address: 0x1001c21c)
  • NtSetSecurityObject (Address: 0x1001c1fc)
  • NtSetValueKey (Address: 0x1001c1f0)
  • NtUnloadKey2 (Address: 0x1001c28c)
  • RtlAbsoluteToSelfRelativeSD (Address: 0x1001c244)
  • RtlAddAccessAllowedAce (Address: 0x1001c248)
  • RtlAddAuditAccessAce (Address: 0x1001c240)
  • RtlAllocateAndInitializeSid (Address: 0x1001c24c)
  • RtlAllocateHeap (Address: 0x1001c1bc)
  • RtlAppendUnicodeStringToString (Address: 0x1001c1e4)
  • RtlAppendUnicodeToString (Address: 0x1001c1cc)
  • RtlCompareUnicodeString (Address: 0x1001c22c)
  • RtlConvertSidToUnicodeString (Address: 0x1001c274)
  • RtlCopySid (Address: 0x1001c1a4)
  • RtlCopyUnicodeString (Address: 0x1001c1dc)
  • RtlCreateAcl (Address: 0x1001c23c)
  • RtlCreateSecurityDescriptor (Address: 0x1001c234)
  • RtlDosPathNameToRelativeNtPathName_U_WithStatus (Address: 0x1001c294)
  • RtlEqualSid (Address: 0x1001c284)
  • RtlFindMessage (Address: 0x1001c1c8)
  • RtlFormatCurrentUserKeyPath (Address: 0x1001c1c4)
  • RtlFreeHeap (Address: 0x1001c288)
  • RtlFreeUnicodeString (Address: 0x1001c270)
  • RtlGetAce (Address: 0x1001c250)
  • RtlGetDaclSecurityDescriptor (Address: 0x1001c230)
  • RtlGetGroupSecurityDescriptor (Address: 0x1001c1f4)
  • RtlGetOwnerSecurityDescriptor (Address: 0x1001c200)
  • RtlGetSaclSecurityDescriptor (Address: 0x1001c204)
  • RtlIdentifierAuthoritySid (Address: 0x1001c1e0)
  • RtlImageNtHeader (Address: 0x1001c1ac)
  • RtlInitializeRXact (Address: 0x1001c29c)
  • RtlInitializeSid (Address: 0x1001c25c)
  • RtlInitUnicodeString (Address: 0x1001c19c)
  • RtlIntegerToUnicodeString (Address: 0x1001c1d0)
  • RtlLengthRequiredSid (Address: 0x1001c1d8)
  • RtlLengthSid (Address: 0x1001c268)
  • RtlMapGenericMask (Address: 0x1001c258)
  • RtlpNtEnumerateSubKey (Address: 0x1001c208)
  • RtlRaiseStatus (Address: 0x1001c1c0)
  • RtlReAllocateHeap (Address: 0x1001c1b8)
  • RtlSetDaclSecurityDescriptor (Address: 0x1001c254)
  • RtlSetGroupSecurityDescriptor (Address: 0x1001c238)
  • RtlSetOwnerSecurityDescriptor (Address: 0x1001c260)
  • RtlSetSaclSecurityDescriptor (Address: 0x1001c264)
  • RtlSubAuthorityCountSid (Address: 0x1001c26c)
  • RtlSubAuthoritySid (Address: 0x1001c278)
  • RtlUpcaseUnicodeChar (Address: 0x1001c1b0)
  • RtlUpcaseUnicodeStringToOemString (Address: 0x1001c1d4)
  • RtlValidSid (Address: 0x1001c27c)
offlinelsa.dll
  • LsaOfflineClose (Address: 0x1001c2b0)
  • LsaOfflineFreeMemory (Address: 0x1001c2b8)
  • LsaOfflineOpenPolicy (Address: 0x1001c2a4)
  • LsaOfflineOpenPolicyExternal (Address: 0x1001c2ac)
  • LsaOfflineOpenPolicyForInstaller (Address: 0x1001c2a8)
  • LsaOfflineQueryInformationPolicy (Address: 0x1001c2bc)
  • LsaOfflineSyskeyRequest (Address: 0x1001c2b4)
RPCRT4.dll
  • RpcStringFreeW (Address: 0x1001c014)
  • UuidCreate (Address: 0x1001c010)
  • UuidToStringW (Address: 0x1001c018)