Malicious
Classifications
Spyware
Threat Names
Trojan.GenericKDZ.76753 Gen:Variant.Mikey.113998
Dynamic Analysis Report
Created on 2021-09-28T09:02:00
eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.exe.dll
Windows DLL (x86-64)
Remarks (2/2)
(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "21 minutes" to "6 minutes, 40 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\RDhJ0CNFevzX\Desktop\eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.exe.dll | Sample File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 2.07 MB |
| MD5 |
5edd6ba336c4de29f55cadfd2167a67e
|
| SHA1 |
af181a8f3fe25a515a8fe2a02559e5daceecf976
|
| SHA256 |
eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
|
| SSDeep |
12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnb
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0x1cf000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (47)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64f2c | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fltwtj | 0x14010e000 | 0x1267 | 0x2000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .sfplio | 0x140110000 | 0x736 | 0x1000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rpg | 0x140111000 | 0x45174 | 0x46000 | 0x111000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .bewzc | 0x140157000 | 0x1124 | 0x2000 | 0x157000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .vksvaw | 0x140159000 | 0x736 | 0x1000 | 0x159000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wmhg | 0x14015a000 | 0x1278 | 0x2000 | 0x15a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kswemc | 0x14015c000 | 0x36d | 0x1000 | 0x15c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kaxfk | 0x14015d000 | 0x197d | 0x2000 | 0x15d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pjf | 0x14015f000 | 0xbde | 0x1000 | 0x15f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .retjqj | 0x140160000 | 0x7fd | 0x1000 | 0x160000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .mizn | 0x140161000 | 0x9cd | 0x1000 | 0x161000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rsrub | 0x140162000 | 0x197d | 0x2000 | 0x162000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fhgxfk | 0x140164000 | 0x45174 | 0x46000 | 0x164000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wqpbrq | 0x1401aa000 | 0x23b | 0x1000 | 0x1aa000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xlhbgj | 0x1401ab000 | 0xebe | 0x1000 | 0x1ab000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rzgl | 0x1401ac000 | 0xbde | 0x1000 | 0x1ac000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yic | 0x1401ad000 | 0x1f7 | 0x1000 | 0x1ad000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .zfmbo | 0x1401ae000 | 0x1af | 0x1000 | 0x1ae000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kurwl | 0x1401af000 | 0x3fe | 0x1000 | 0x1af000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .crlsf | 0x1401b0000 | 0x1e66 | 0x2000 | 0x1b0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wrn | 0x1401b2000 | 0x6cd0 | 0x7000 | 0x1b2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .blcv | 0x1401b9000 | 0x1af | 0x1000 | 0x1b9000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .roblb | 0x1401ba000 | 0x9cd | 0x1000 | 0x1ba000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .yblxa | 0x1401bb000 | 0x23b | 0x1000 | 0x1bb000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tfy | 0x1401bc000 | 0x9cd | 0x1000 | 0x1bc000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wsmv | 0x1401bd000 | 0x23b | 0x1000 | 0x1bd000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hrs | 0x1401be000 | 0x16c | 0x1000 | 0x1be000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ppapg | 0x1401bf000 | 0x23b | 0x1000 | 0x1bf000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .udm | 0x1401c0000 | 0x1278 | 0x2000 | 0x1c0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fxc | 0x1401c2000 | 0x1f2a | 0x2000 | 0x1c2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fvxxk | 0x1401c4000 | 0x23b | 0x1000 | 0x1c4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .zmj | 0x1401c5000 | 0x23b | 0x1000 | 0x1c5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .zvz | 0x1401c6000 | 0x45174 | 0x46000 | 0x1c6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xyiz | 0x14020c000 | 0x8fe | 0x1000 | 0x20c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .gbzxp | 0x14020d000 | 0x23b | 0x1000 | 0x20d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kkivgv | 0x14020e000 | 0x8fe | 0x1000 | 0x20e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .evwibb | 0x14020f000 | 0x197d | 0x2000 | 0x20f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.72 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (167)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| LogonIdFromWinStationNameA | 0x154cc | 0x2 |
| LogonIdFromWinStationNameW | 0x1e670 | 0x3 |
| RemoteAssistancePrepareSystemRestore | 0x19b0 | 0x4 |
| ServerGetInternetConnectorStatus | 0xb840 | 0x5 |
| ServerLicensingClose | 0x3cdc | 0x6 |
| ServerLicensingDeactivateCurrentPolicy | 0x3d540 | 0x7 |
| ServerLicensingFreePolicyInformation | 0x382b0 | 0x8 |
| ServerLicensingGetAvailablePolicyIds | 0x38e3c | 0x9 |
| ServerLicensingGetPolicy | 0x2eee4 | 0xa |
| ServerLicensingGetPolicyInformationA | 0x3c028 | 0xb |
| ServerLicensingGetPolicyInformationW | 0x35608 | 0xc |
| ServerLicensingLoadPolicy | 0x31ff4 | 0xd |
| ServerLicensingOpenA | 0x37a88 | 0xe |
| ServerLicensingOpenW | 0x1cb14 | 0xf |
| ServerLicensingSetPolicy | 0x20cec | 0x10 |
| ServerLicensingUnloadPolicy | 0x2ed04 | 0x11 |
| ServerQueryInetConnectorInformationA | 0x185c8 | 0x12 |
| ServerQueryInetConnectorInformationW | 0x35b78 | 0x13 |
| ServerSetInternetConnectorStatus | 0xaf38 | 0x14 |
| WTSRegisterSessionNotificationEx | 0x1d320 | 0x15 |
| WTSUnRegisterSessionNotificationEx | 0x2e560 | 0x16 |
| WinStationActivateLicense | 0x744c | 0x17 |
| WinStationAutoReconnect | 0x103c0 | 0x18 |
| WinStationBroadcastSystemMessage | 0x33dac | 0x19 |
| WinStationCheckAccess | 0xb518 | 0x1a |
| WinStationCheckLoopBack | 0x87e4 | 0x1b |
| WinStationCloseServer | 0x1150c | 0x1c |
| WinStationConnectA | 0x37f54 | 0x1d |
| WinStationConnectAndLockDesktop | 0x37230 | 0x1e |
| WinStationConnectCallback | 0x24504 | 0x1f |
| WinStationConnectEx | 0x9568 | 0x20 |
| WinStationConnectW | 0x1e29c | 0x21 |
| WinStationCreateChildSessionTransport | 0x2b190 | 0x22 |
| WinStationDisconnect | 0x33000 | 0x23 |
| WinStationEnableChildSessions | 0xe96c | 0x24 |
| WinStationEnumerateA | 0x11a98 | 0x25 |
| WinStationEnumerateExW | 0x1faf4 | 0x26 |
| WinStationEnumerateLicenses | 0x2d380 | 0x27 |
| WinStationEnumerateProcesses | 0x3566c | 0x28 |
| WinStationEnumerateW | 0x170b0 | 0x29 |
| WinStationEnumerate_IndexedA | 0x2764c | 0x2a |
| WinStationEnumerate_IndexedW | 0xda0c | 0x2b |
| WinStationFreeConsoleNotification | 0x406e4 | 0x2c |
| WinStationFreeEXECENVDATAEX | 0x3159c | 0x2d |
| WinStationFreeGAPMemory | 0x141e0 | 0x2e |
| WinStationFreeMemory | 0xef30 | 0x2f |
| WinStationFreePropertyValue | 0x12754 | 0x30 |
| WinStationFreeUserCertificates | 0xe344 | 0x31 |
| WinStationFreeUserCredentials | 0x1f31c | 0x32 |
| WinStationFreeUserSessionInfo | 0x2b4bc | 0x33 |
| WinStationGenerateLicense | 0x2d08c | 0x34 |
| WinStationGetAllProcesses | 0x1c2e8 | 0x35 |
| WinStationGetAllSessionsEx | 0x1fea0 | 0x36 |
| WinStationGetAllSessionsW | 0x19b9c | 0x37 |
| WinStationGetAllUserSessions | 0x1d4e0 | 0x38 |
| WinStationGetChildSessionId | 0xfb5c | 0x39 |
| WinStationGetConnectionProperty | 0x148b4 | 0x3a |
| WinStationGetCurrentSessionCapabilities | 0x5448 | 0x3b |
| WinStationGetCurrentSessionConnectionProperty | 0x21e94 | 0x3c |
| WinStationGetCurrentSessionTerminalName | 0x14980 | 0x3d |
| WinStationGetDeviceId | 0x1e4fc | 0x3e |
| WinStationGetInitialApplication | 0x3a94 | 0x3f |
| WinStationGetLanAdapterNameA | 0x3500c | 0x40 |
| WinStationGetLanAdapterNameW | 0x304b8 | 0x41 |
| WinStationGetLoggedOnCount | 0x37198 | 0x42 |
| WinStationGetMachinePolicy | 0x28a38 | 0x43 |
| WinStationGetParentSessionId | 0x18ad8 | 0x44 |
| WinStationGetProcessSid | 0x23484 | 0x45 |
| WinStationGetRedirectAuthInfo | 0x21df4 | 0x46 |
| WinStationGetRestrictedLogonInfo | 0xc674 | 0x47 |
| WinStationGetSessionIds | 0x1acc | 0x48 |
| WinStationGetTermSrvCountersValue | 0x1665c | 0x49 |
| WinStationGetUserCertificates | 0x8794 | 0x4a |
| WinStationGetUserCredentials | 0x3e30c | 0x4b |
| WinStationGetUserProfile | 0x2fbc | 0x4c |
| WinStationInstallLicense | 0x1ebcc | 0x4d |
| WinStationIsChildSessionsEnabled | 0xa870 | 0x4e |
| WinStationIsCurrentSessionRemoteable | 0x310d4 | 0x4f |
| WinStationIsHelpAssistantSession | 0x3e898 | 0x50 |
| WinStationIsSessionPermitted | 0xda1c | 0x51 |
| WinStationIsSessionRemoteable | 0x179c0 | 0x52 |
| WinStationNameFromLogonIdA | 0x34f78 | 0x53 |
| WinStationNameFromLogonIdW | 0x24ed4 | 0x54 |
| WinStationNegotiateSession | 0x15328 | 0x55 |
| WinStationNtsdDebug | 0x30d6c | 0x56 |
| WinStationOpenServerA | 0x13ba8 | 0x57 |
| WinStationOpenServerExA | 0x1d588 | 0x58 |
| WinStationOpenServerExW | 0x3caec | 0x59 |
| WinStationOpenServerW | 0x3af8 | 0x5a |
| WinStationPreCreateGlassReplacementSession | 0x36ff0 | 0x5b |
| WinStationPreCreateGlassReplacementSessionEx | 0x18ab8 | 0x5c |
| WinStationQueryAllowConcurrentConnections | 0x1d4bc | 0x5d |
| WinStationQueryCurrentSessionInformation | 0xf5d0 | 0x5e |
| WinStationQueryEnforcementCore | 0x34e24 | 0x5f |
| WinStationQueryInformationA | 0x9954 | 0x60 |
| WinStationQueryInformationW | 0x9c90 | 0x61 |
| WinStationQueryLicense | 0x2f848 | 0x62 |
| WinStationQueryLogonCredentialsW | 0xbfb8 | 0x63 |
| WinStationQuerySessionVirtualIP | 0xed90 | 0x64 |
| WinStationQueryUpdateRequired | 0x1bb78 | 0x65 |
| WinStationRcmShadow2 | 0x3a4fc | 0x66 |
| WinStationRedirectErrorMessage | 0x3fc4 | 0x67 |
| WinStationRedirectLogonBeginPainting | 0x40b1c | 0x68 |
| WinStationRedirectLogonError | 0x329d0 | 0x69 |
| WinStationRedirectLogonMessage | 0x1a8e8 | 0x6a |
| WinStationRedirectLogonStatus | 0xdcb0 | 0x6b |
| WinStationRegisterConsoleNotification | 0x3db9c | 0x6c |
| WinStationRegisterConsoleNotificationEx | 0x4320 | 0x6d |
| WinStationRegisterConsoleNotificationEx2 | 0xc190 | 0x1 |
| WinStationRegisterCurrentSessionNotificationEvent | 0x1871c | 0x6e |
| WinStationRegisterNotificationEvent | 0x1caec | 0x6f |
| WinStationRemoveLicense | 0xad28 | 0x70 |
| WinStationRenameA | 0x3e0a0 | 0x71 |
| WinStationRenameW | 0x10064 | 0x72 |
| WinStationReportUIResult | 0x30854 | 0x73 |
| WinStationReset | 0x280b0 | 0x74 |
| WinStationRevertFromServicesSession | 0x20f9c | 0x75 |
| WinStationSendMessageA | 0x3dc44 | 0x76 |
| WinStationSendMessageW | 0x25608 | 0x77 |
| WinStationSendWindowMessage | 0x378e4 | 0x78 |
| WinStationServerPing | 0x27898 | 0x79 |
| WinStationSetAutologonPassword | 0x15b60 | 0x7a |
| WinStationSetInformationA | 0x36334 | 0x7b |
| WinStationSetInformationW | 0x2f668 | 0x7c |
| WinStationSetPoolCount | 0x12008 | 0x7d |
| WinStationSetRenderHint | 0x10d54 | 0x7e |
| WinStationShadow | 0x1f2bc | 0x7f |
| WinStationShadowAccessCheck | 0x36038 | 0x80 |
| WinStationShadowStop | 0xa3ec | 0x81 |
| WinStationShadowStop2 | 0x1503c | 0x82 |
| WinStationShutdownSystem | 0x3a0e4 | 0x83 |
| WinStationSwitchToServicesSession | 0x20bcc | 0x84 |
| WinStationSystemShutdownStarted | 0x3fcb8 | 0x85 |
| WinStationSystemShutdownWait | 0x1536c | 0x86 |
| WinStationTerminateGlassReplacementSession | 0x28a90 | 0x87 |
| WinStationTerminateProcess | 0x23fcc | 0x88 |
| WinStationUnRegisterConsoleNotification | 0x1e86c | 0x89 |
| WinStationUnRegisterNotificationEvent | 0x2ba70 | 0x8a |
| WinStationUserLoginAccessCheck | 0x1b4d0 | 0x8b |
| WinStationVerify | 0x27dbc | 0x8c |
| WinStationVirtualOpen | 0xbec0 | 0x8d |
| WinStationVirtualOpenEx | 0x20a5c | 0x8e |
| WinStationWaitSystemEvent | 0xab44 | 0x8f |
| _NWLogonQueryAdmin | 0x1fc60 | 0x90 |
| _NWLogonSetAdmin | 0x1ab3c | 0x91 |
| _WinStationAnnoyancePopup | 0x40f10 | 0x92 |
| _WinStationBeepOpen | 0x39a50 | 0x93 |
| _WinStationBreakPoint | 0x3182c | 0x94 |
| _WinStationCallback | 0x3d540 | 0x95 |
| _WinStationCheckForApplicationName | 0x22e50 | 0x96 |
| _WinStationFUSCanRemoteUserDisconnect | 0x28074 | 0x97 |
| _WinStationGetApplicationInfo | 0xa000 | 0x98 |
| _WinStationNotifyDisconnectPipe | 0x6300 | 0x99 |
| _WinStationNotifyLogoff | 0x1f14 | 0x9a |
| _WinStationNotifyLogon | 0x2a208 | 0x9b |
| _WinStationNotifyNewSession | 0x40c10 | 0x9c |
| _WinStationOpenSessionDirectory | 0x8768 | 0x9d |
| _WinStationReInitializeSecurity | 0x31648 | 0x9e |
| _WinStationReadRegistry | 0x26d80 | 0x9f |
| _WinStationSessionInitialized | 0x57e0 | 0xa0 |
| _WinStationShadowTarget | 0x3b860 | 0xa1 |
| _WinStationShadowTarget2 | 0x36f6c | 0xa2 |
| _WinStationShadowTargetSetup | 0xa8e8 | 0xa3 |
| _WinStationUpdateClientCachedCredentials | 0x396cc | 0xa4 |
| _WinStationUpdateSettings | 0x388a4 | 0xa5 |
| _WinStationUpdateUserConfig | 0x7c8c | 0xa6 |
| _WinStationWaitForConnect | 0x2f99c | 0xa7 |
