offlinesam.dll

Description: Windows

Version: 10.0.19041.4842

Architecture: 64-bit

Operating System: Windows NT

SHA256: b8a13950dfc9e35ee4ff0e59c3bd0139

File Size: 272.5 KB

Uploaded At: Dec. 1, 2025, 7:35 a.m.

Views: 4

Security Warning

This file has been flagged as potentially dangerous.

Reason: Detected potentially dangerous functions used for process injection: OpenProcess

Exported Functions

SamOfflineAddMemberToAlias (Ordinal: 1, Address: 0x10770)
SamOfflineCloseHandle (Ordinal: 2, Address: 0x112d0)
SamOfflineConnect (Ordinal: 3, Address: 0xf9d0)
SamOfflineConnectExternal (Ordinal: 4, Address: 0xfbc0)
SamOfflineConnectForInstaller (Ordinal: 5, Address: 0xfae0)
SamOfflineCreateAliasInDomain (Ordinal: 6, Address: 0x102d0)
SamOfflineCreateUserInDomain (Ordinal: 7, Address: 0x10e10)
SamOfflineDeleteAlias (Ordinal: 8, Address: 0x10610)
SamOfflineDeleteUser (Ordinal: 9, Address: 0x11130)
SamOfflineEnumerateAliasesInDomain (Ordinal: 10, Address: 0x10a60)
SamOfflineEnumerateDomainsInSamServer (Ordinal: 11, Address: 0xfd20)
SamOfflineEnumerateUsersInDomain2 (Ordinal: 12, Address: 0x10ba0)
SamOfflineFreeMemory (Ordinal: 13, Address: 0x11440)
SamOfflineGetMembersInAlias (Ordinal: 14, Address: 0x10960)
SamOfflineLookupDomainInSamServer (Ordinal: 15, Address: 0xfe50)
SamOfflineLookupNamesInDomain (Ordinal: 16, Address: 0x10080)
SamOfflineOpenAlias (Ordinal: 17, Address: 0x101b0)
SamOfflineOpenDomain (Ordinal: 18, Address: 0xff50)
SamOfflineOpenUser (Ordinal: 19, Address: 0x10cf0)
SamOfflineQueryInformationAlias (Ordinal: 20, Address: 0x10420)
SamOfflineQueryInformationUser (Ordinal: 21, Address: 0x10f50)
SamOfflineRemoveMemberFromAlias (Ordinal: 22, Address: 0x10880)
SamOfflineRidToSid (Ordinal: 23, Address: 0x11220)
SamOfflineSetInformationAlias (Ordinal: 24, Address: 0x10510)
SamOfflineSetInformationUser (Ordinal: 25, Address: 0x11040)

Imported DLLs & Functions

api-ms-win-core-errorhandling-l1-1-0.dll

GetLastError (Address: 0x18001f5b8)
SetUnhandledExceptionFilter (Address: 0x18001f5a8)
UnhandledExceptionFilter (Address: 0x18001f5b0)

api-ms-win-core-file-l1-1-0.dll

GetFileAttributesW (Address: 0x18001f5c8)

api-ms-win-core-handle-l1-1-0.dll

CloseHandle (Address: 0x18001f5d8)

api-ms-win-core-heap-obsolete-l1-1-0.dll

LocalAlloc (Address: 0x18001f5e8)
LocalFree (Address: 0x18001f5f0)

api-ms-win-core-kernel32-legacy-l1-1-0.dll

WTSGetActiveConsoleSessionId (Address: 0x18001f600)

api-ms-win-core-libraryloader-l1-1-0.dll

DisableThreadLibraryCalls (Address: 0x18001f620)
FreeLibrary (Address: 0x18001f610)
LoadLibraryExW (Address: 0x18001f618)

api-ms-win-core-memory-l1-1-0.dll

VirtualAlloc (Address: 0x18001f640)
VirtualProtect (Address: 0x18001f630)
VirtualQuery (Address: 0x18001f638)

api-ms-win-core-processthreads-l1-1-0.dll

GetCurrentProcess (Address: 0x18001f668)
GetCurrentProcessId (Address: 0x18001f658)
GetCurrentThreadId (Address: 0x18001f678)
OpenProcessToken (Address: 0x18001f670)
SetThreadStackGuarantee (Address: 0x18001f650)
TerminateProcess (Address: 0x18001f660)

api-ms-win-core-processthreads-l1-1-1.dll

OpenProcess (Address: 0x18001f688)

api-ms-win-core-profile-l1-1-0.dll

QueryPerformanceCounter (Address: 0x18001f698)

api-ms-win-core-string-l1-1-0.dll

CompareStringEx (Address: 0x18001f6a8)

api-ms-win-core-synch-l1-1-0.dll

AcquireSRWLockExclusive (Address: 0x18001f6c0)
InitializeSRWLock (Address: 0x18001f6b8)
ReleaseSRWLockExclusive (Address: 0x18001f6c8)

api-ms-win-core-synch-l1-2-0.dll

Sleep (Address: 0x18001f6d8)

api-ms-win-core-sysinfo-l1-1-0.dll

GetSystemInfo (Address: 0x18001f6f8)
GetSystemTimeAsFileTime (Address: 0x18001f6e8)
GetTickCount (Address: 0x18001f6f0)

api-ms-win-eventing-classicprovider-l1-1-0.dll

GetTraceEnableFlags (Address: 0x18001f730)
GetTraceEnableLevel (Address: 0x18001f708)
GetTraceLoggerHandle (Address: 0x18001f728)
RegisterTraceGuidsW (Address: 0x18001f720)
TraceMessage (Address: 0x18001f710)
UnregisterTraceGuids (Address: 0x18001f718)

api-ms-win-security-base-l1-1-0.dll

DuplicateTokenEx (Address: 0x18001f758)
GetLengthSid (Address: 0x18001f740)
GetTokenInformation (Address: 0x18001f748)
IsValidSid (Address: 0x18001f750)

api-ms-win-security-cryptoapi-l1-1-0.dll

CryptAcquireContextA (Address: 0x18001f790)
CryptCreateHash (Address: 0x18001f788)
CryptDestroyHash (Address: 0x18001f770)
CryptGetHashParam (Address: 0x18001f780)
CryptHashData (Address: 0x18001f768)
CryptReleaseContext (Address: 0x18001f778)

api-ms-win-security-lsalookup-l2-1-0.dll

LookupPrivilegeValueW (Address: 0x18001f7a0)

api-ms-win-security-sddl-l1-1-0.dll

ConvertStringSidToSidW (Address: 0x18001f7b0)

bcrypt.dll

BCryptCloseAlgorithmProvider (Address: 0x18001f7f0)
BCryptCreateHash (Address: 0x18001f7d0)
BCryptDecrypt (Address: 0x18001f800)
BCryptDestroyHash (Address: 0x18001f7e0)
BCryptDestroyKey (Address: 0x18001f7e8)
BCryptEncrypt (Address: 0x18001f818)
BCryptFinishHash (Address: 0x18001f810)
BCryptGenerateSymmetricKey (Address: 0x18001f7d8)
BCryptGetProperty (Address: 0x18001f808)
BCryptHashData (Address: 0x18001f7c8)
BCryptOpenAlgorithmProvider (Address: 0x18001f7f8)
BCryptSetProperty (Address: 0x18001f7c0)

CRYPTBASE.dll

SystemFunction001 (Address: 0x18001f578)
SystemFunction003 (Address: 0x18001f570)
SystemFunction036 (Address: 0x18001f568)

msvcrt.dll

__C_specific_handler (Address: 0x18001f848)
_amsg_exit (Address: 0x18001f858)
_initterm (Address: 0x18001f838)
_purecall (Address: 0x18001f840)
_vsnwprintf (Address: 0x18001f880)
_wcsicmp (Address: 0x18001f878)
_XcptFilter (Address: 0x18001f870)
free (Address: 0x18001f828)
malloc (Address: 0x18001f830)
memcmp (Address: 0x18001f868)
memcpy (Address: 0x18001f860)
memmove (Address: 0x18001f850)
memset (Address: 0x18001f888)

ntdll.dll

DbgPrintEx (Address: 0x18001f8d0)
NtAdjustPrivilegesToken (Address: 0x18001f950)
NtClose (Address: 0x18001f8a8)
NtCreateKey (Address: 0x18001f8b8)
NtDeleteKey (Address: 0x18001f998)
NtDeleteValueKey (Address: 0x18001f970)
NtDuplicateToken (Address: 0x18001f9c8)
NtFlushKey (Address: 0x18001faa0)
NtLoadKey (Address: 0x18001fab0)
NtOpenKey (Address: 0x18001f898)
NtOpenProcessToken (Address: 0x18001f9d0)
NtOpenThreadToken (Address: 0x18001f9a8)
NtQueryInformationToken (Address: 0x18001f9b0)
NtQueryKey (Address: 0x18001f9a0)
NtQuerySystemInformation (Address: 0x18001f9c0)
NtQuerySystemTime (Address: 0x18001fa80)
NtQueryValueKey (Address: 0x18001f958)
NtSetInformationThread (Address: 0x18001f9b8)
NtSetSecurityObject (Address: 0x18001f978)
NtSetValueKey (Address: 0x18001f960)
NtUnloadKey2 (Address: 0x18001fa98)
RtlAbsoluteToSelfRelativeSD (Address: 0x18001fa08)
RtlAddAccessAllowedAce (Address: 0x18001fa10)
RtlAddAuditAccessAce (Address: 0x18001fa00)
RtlAllocateAndInitializeSid (Address: 0x18001fa18)
RtlAllocateHeap (Address: 0x18001f8e0)
RtlAppendUnicodeStringToString (Address: 0x18001f948)
RtlAppendUnicodeToString (Address: 0x18001f918)
RtlCaptureContext (Address: 0x18001f908)
RtlCompareUnicodeString (Address: 0x18001f9d8)
RtlConvertSidToUnicodeString (Address: 0x18001fa68)
RtlCopySid (Address: 0x18001f8b0)
RtlCopyUnicodeString (Address: 0x18001f938)
RtlCreateAcl (Address: 0x18001f9f8)
RtlCreateSecurityDescriptor (Address: 0x18001f9e8)
RtlDosPathNameToRelativeNtPathName_U_WithStatus (Address: 0x18001faa8)
RtlEqualSid (Address: 0x18001fa88)
RtlFindMessage (Address: 0x18001f910)
RtlFormatCurrentUserKeyPath (Address: 0x18001f8f0)
RtlFreeHeap (Address: 0x18001fa90)
RtlFreeUnicodeString (Address: 0x18001fa60)
RtlGetAce (Address: 0x18001fa20)
RtlGetDaclSecurityDescriptor (Address: 0x18001f9e0)
RtlGetGroupSecurityDescriptor (Address: 0x18001f968)
RtlGetOwnerSecurityDescriptor (Address: 0x18001f980)
RtlGetSaclSecurityDescriptor (Address: 0x18001f988)
RtlIdentifierAuthoritySid (Address: 0x18001f940)
RtlImageNtHeader (Address: 0x18001f8c0)
RtlInitializeRXact (Address: 0x18001fab8)
RtlInitializeSid (Address: 0x18001fa38)
RtlInitUnicodeString (Address: 0x18001f8a0)
RtlIntegerToUnicodeString (Address: 0x18001f920)
RtlLengthRequiredSid (Address: 0x18001f930)
RtlLengthSid (Address: 0x18001fa50)
RtlLookupFunctionEntry (Address: 0x18001f900)
RtlMapGenericMask (Address: 0x18001fa30)
RtlpNtEnumerateSubKey (Address: 0x18001f990)
RtlRaiseStatus (Address: 0x18001f8e8)
RtlReAllocateHeap (Address: 0x18001f8d8)
RtlSetDaclSecurityDescriptor (Address: 0x18001fa28)
RtlSetGroupSecurityDescriptor (Address: 0x18001f9f0)
RtlSetOwnerSecurityDescriptor (Address: 0x18001fa40)
RtlSetSaclSecurityDescriptor (Address: 0x18001fa48)
RtlSubAuthorityCountSid (Address: 0x18001fa58)
RtlSubAuthoritySid (Address: 0x18001fa70)
RtlUpcaseUnicodeChar (Address: 0x18001f8c8)
RtlUpcaseUnicodeStringToOemString (Address: 0x18001f928)
RtlValidSid (Address: 0x18001fa78)
RtlVirtualUnwind (Address: 0x18001f8f8)

offlinelsa.dll

LsaOfflineClose (Address: 0x18001fae0)
LsaOfflineFreeMemory (Address: 0x18001faf0)
LsaOfflineOpenPolicy (Address: 0x18001fac8)
LsaOfflineOpenPolicyExternal (Address: 0x18001fad8)
LsaOfflineOpenPolicyForInstaller (Address: 0x18001fad0)
LsaOfflineQueryInformationPolicy (Address: 0x18001faf8)
LsaOfflineSyskeyRequest (Address: 0x18001fae8)

RPCRT4.dll

RpcStringFreeW (Address: 0x18001f588)
UuidCreate (Address: 0x18001f598)
UuidToStringW (Address: 0x18001f590)