Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 00:27:01	2025-06-13 00:58:00	1859 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,022 [root] INFO: Date set to: 20250612T19:04:34, timeout set to: 1800
2025-06-12 20:04:34,753 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:04:34,753 [root] DEBUG: Storing results at: C:\iDarMfdE
2025-06-12 20:04:34,753 [root] DEBUG: Pipe server name: \\.\PIPE\IMPWOAOm
2025-06-12 20:04:34,753 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:04:34,753 [root] INFO: analysis running as an admin
2025-06-12 20:04:34,753 [root] INFO: analysis package specified: "exe"
2025-06-12 20:04:34,753 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:04:35,159 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:04:35,159 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:04:35,190 [lib.common.common] INFO: wrapping
2025-06-12 20:04:35,190 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:04:35,190 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\Dism.exe
2025-06-12 20:04:35,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:04:35,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:04:35,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:04:35,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:04:35,378 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:04:35,378 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:04:35,409 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:04:35,425 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:04:35,440 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:04:35,440 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:04:35,440 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:04:35,440 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:04:35,456 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:04:35,456 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:04:35,456 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:04:35,456 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:04:35,456 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:04:35,456 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:04:35,456 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:04:35,456 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:04:35,456 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:04:35,456 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:04:46,987 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-12 20:04:47,003 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:04:47,003 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:04:47,003 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:04:47,003 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:04:47,003 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:04:47,003 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:04:47,034 [modules.auxiliary.disguise] INFO: Disguising GUID to ce863701-2277-4ca4-b783-294e80b72cd2
2025-06-12 20:04:47,034 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:04:47,050 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:04:47,050 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:04:47,050 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:04:47,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:04:47,050 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:04:47,050 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:04:47,050 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:04:47,050 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:04:47,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:04:47,050 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:04:47,050 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:04:47,050 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:04:47,050 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:04:47,050 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:04:47,050 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:04:47,050 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:04:47,096 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:04:47,096 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:04:47,128 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\NmhMelLB.dll, loader C:\tmp_gell1p8\bin\TfDuBatI.exe
2025-06-12 20:04:47,175 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:04:47,175 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-12 20:04:47,206 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:04:47,206 [root] INFO: Disabling sleep skipping.
2025-06-12 20:04:47,206 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:04:47,206 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:04:47,206 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:04:47,206 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:04:47,206 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:04:47,222 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:04:47,222 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:04:47,222 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:04:47,237 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4772, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-12 20:04:47,237 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:04:47,237 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:04:47,237 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:04:47,237 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-12 20:04:47,253 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:04:47,253 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 00:27:01	2025-06-13 00:57:41	none

File Details

File Name	Dism.exe
File Type	PE32 executable (console) Intel 80386, for MS Windows
File Size	231224 bytes
MD5	4ce13247bfc57b6128ba57178b382e11
SHA1	f8a65cfcac8f55c72518aeba68c327a11b6bcf8c
SHA256	3036c3a4c3884d8ac8b58436f308332ab4a1879e1c805e568eb1a0f8b85255e8 [VT] [MWDB] [Bazaar]
SHA3-384	92c220f0e6047a252919b9b1331a3e2db8b9bceac69d64926eda9733dea88de1eb6142fb64a4b363f5bfe6b3dbff3e61
CRC32	2EF1985B
TLSH	T1FC34C52337E8952AF2F77A301DF452745ABBBE61DF30C75F2240839D19626918C26B63
Ssdeep	3072:wz75RF58D/XG80NRfWOlSJgOyf+77q5/w3BZvWpUf/i9/L3MuLVr8JWW:cvF5iXGhNrnf+fN3vWpG/6/L1r8l
PE	File Strings BinGraph Vba2Graph VirusTotal

Failed to get the category of the help topic.

2h8@@

Specifies the logfile path.

64686P6`6p6

6P6d6x6

</trustInfo>

Failed to append Windows directory to image root. HRESULT=%X

APPID

tjj:V

;,;H;`;

9wttR

4$4,444<4T4\4t4|4

WimManager

The /Image option that is specified points to a running Windows installation.

/Image:<path_to_offline_image>

<;=K=W=

An error occurred while validating the path to the image.

An error occurred while attempting to access the image at %1.

tLVVVW

.?AUIDismTokenCollection@@

8q8x8

processorArchitecture="x86"

"0)0A0R0c0

;+;?;H;X;a;

5(6D6H6d6h6p6|6

__RTDynamicCast

Whx@@

:D:O:T:{:

CopyFileExW

EnumeratePathEx: FindFirstFile failed for [%s]; GLE = 0x%x

GetSecurityDescriptorControl

0(1@1^1i1n1

5"595B5M5T5f5l5r5x5~5

DISM.exe /Online /Get-Drivers /?

list<T> too long

<><P<[<`<y<

TlP0X

< =(=0=<=D=x=

Failed to get the sub-topic name for topic(%s). HRESULT=%X

<0<;<@<W<

`.data

Invalid argument type=%d HRESULT=%X

1(10181@1H1T1\1

O0M0K

Microsoft Corporation

option immediately before /?.

>C?M?X?i?o?x?

LoadLibraryExW

Executing command line: %s

memcmp

566G6t6~6

=%=K=m=

OutputDebugStringA

_XcptFilter

_lock

j\Xf9

.?AV?$CAtlModuleT@VCConsoleModule@@@ATL@@

UnmapViewOfFile

9^(uKQ

03090L0R0]0d0i0r0y0~0

DISM.exe {/Image:<path_to_offline_image> | /Online} [dism_options]

6#6(6@6a6l6q6

<F<|<

%s %s

Failed to get the driver package from the packages collection.

Remove the argument and run DISM again.

DISM.exe /Image:C:\test\offline /scratchdir:D:\Scratch

\SysArm32

?$?0?P?X?`?h?t?

.text$mn$01

_initterm

.?AVlogic_error@std@@

8/8l8u8

.idata$5

:>:j:

.?AVCDISMHelpItem@@

Failed disabling shutdown privilege. HRESULT=%X

9.:H:Y:o:

[%s] provider does not support command lines.

6X6~6

1$1,141<1H1P1l1t1|1

DISM.exe /Image:C:\test\offline /Format:List /Get-Apps

EnumeratePathEx: Callback requested enumeration interruption or hit internal enumeration failure on [%s]; GLE = 0x%x

/LogLevel:<n>

**** Dism.exe process is running as WOW64; paths in the log might be virtualized, hence unreliable ****

171T1_1d1v1

wcschr

MUI\%04hx

Microsoft

CopyDirectoryEx2: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u ms; am on try %u.

0!1+1O1q1x1

Failed to get driver manager from dmi provider. HRESULT=%X

Failed to get the driver published inf name from the package.

Wh .@

\System32\NtDll.dll

1;2M2h2

.?AVCAtlException@ATL@@

Failed to add the Help Topic(%s) to the TopicMap.

1)10181H1

.data$r$brc

DeleteFileEx: hardlink given to us is: %s

Ensure that the path to the log file is a valid. For more information, refer to the help by running DISM.exe /LogPath /?.

Failed to get the OS services provider. HRESULT=%X

??0exception@@QAE@ABQBD@Z

> >2>;>r>

towlower

10C0J0\0f0o0{0

SetEvent

Make sure the /LogPath argument is not empty. For more information, refer to the help by running DISM.exe /LogPath /?

SleepConditionVariableSRW

_exit

Failed to call IsWow64Process(). HRESULT=%X

DismTopLevelHelp

:$:B:M:R:d:m:

3 343<3D3L3T3\3d3l3t3

For more information, refer to the help for the %1 option.

5 5054585P5T5X5\5p5

:4:<:D:X:l:

DISM.exe /Image:C:\test\offline /Format:Table /Get-Packages

Legal_Policy_Statement

/English

QQSVWj

No help items were registered that matched the topic:%s. HRESULT=%X

2 3r3

Mscoree.dll

.\%s.mui

towupper

.?AV?$IEnumOnSTLImpl@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismHelpItem@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@@std@@@std@@@ATL@@

Failed to add the command to the collection.

ActivityStoppedAutomatically

3 3D3Q3h3

?$?9?]?j?v?

.?AU_ATL_MODULE70@ATL@@

.tls$ZZZ

CoCreateInstance

>7>O>Z>

GetCommandLineW

The option /WinDir is not recognized in this context. It can only be used with an offline image.

$hP?@

q(9>u

.?AVCAtlModule@ATL@@

1,101H1L1d1h1

servicing. The directory must exist.

8 888<8T8X8p8t8

GetFileAttributesW

<?<F<W<^<y<

Microsoft Time-Stamp PCA 20100

2#K.s

?!?:?K?X?o?

CDismWrapper::VerifyTargetImage

Failed to set provider store path to '%s'. HRESULT=%X

j\Xf;DJ

.CRT$XIA

RtlNtStatusToDosError

Failed while trying to Query Interface on provider: %s.

Qh<,@

111019184142Z

>$>4><>D>L>T>\>h>p>

7)7E7U7`7e7|7

version="5.1.0.0" />

7 7(7,7074787<7@7D7H7L7P7X7\7`7d7h7p7t7x7|7

?<?G?L?d?

destination

6'6/6O6

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

.?AUIDismToken@@

FileDescription

Online%Targets the running operating system.

%Microsoft Windows Production PCA 2011

offline Windows image.

=]=v=

Unable to start the servicing process for the image at '%s'. HRESULT=%X

External

Microsoft Corporation1

:D:P:\:

.?AV?$ICollectionOnSTLImpl@V?$IDispatchImpl@UIDismHelpItemCollection@@$1?IID_IDismHelpItemCollection@@3U_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@V?$list@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@@std@@@std@@PAUIDismHelpItem@@U?$_CopyItfFromAdaptItf@UIDismHelpItem@@@@V?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismHelpItem@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@2@@ATL@@

3!3(3g3

ntdll.dll

10.0.17763.1

DeviceIoControl

Error: path specified for the image was a network path.

t?j:Xf9F

vswprintf_s

384k4

Failed to get the description for sub-topic (%s). HRESULT=%X

InitializeCriticalSection

WakeAllConditionVariable

win:Informational

8%9g9n9{9

<K=\=

=)><>M>W>t>

Microsoft Time-Stamp PCA 2010

The target image is downlevel and considered supported. Looking for PkgMgr.exe.

Make sure the System directory for the image exists and you have Read permissions on the folder.

Unknown provider

AdjustTokenPrivileges

:D:\:

/Online

Manually restart the computer to complete this operation.

.rdata$r$brc

Failed to retrieve the help item registered to the topic(%s). HRESULT=%X

>$>1>P>^>c>

TraceEvent

8&91969G9R9[9

Could not find the OS services provider. Assuming this is not an OS and continuing.

SetSecurityDescriptorGroup

< <.<><

0 0$0(0,00040<0@0D0L0P0T0X0\0`0d0h0l0p0t0|0

EnumeratePathEx: Unable to get reparse tag for persistent reparse point; GLE = 0x%x

??0exception@@QAE@ABV0@@Z

PSQSh

CDismWrapper::CheckValidCommand

SetThreadUILanguage

9C9L9h9q9

j\Yf;

memmove_s

.rdata$zETW9

DeleteFileEx: Unable to delete [%s]; GLE = 0x%x

This option must be used with a servicing command.

.?AV?$CComObject@VCToken@@@ATL@@

1(1s1.2I2

1WPh$B@

656N6m6

DISM.EXE

Failed to find the resources for this executable.

?4?@?

Format#Specifies the report output format.

3j3p3

<1<:<q<

100701213655Z

Scratchdir [%s] is not writable. HRESULT=%X

Failed to connect to event source for dism. HRESULT=%X

TerminateProcess

format

Could not load the image session. HRESULT=%X

5!5(5W5f5}5

CharLowerBuffW

;";(;A;G;r;

3 4h4p5

9<9G9^9|9

CDismWrapper::Initialize

Failed to get the provider collection from the image provider store. HRESULT=%X

;M;};

CompareStringW

Failed to bind to ssshim.dll inside %s. HRESULT=%X

Failed to access the image folder or image's windows folder.

>&>/>g>

Microsoft Windows0

_getwch

tK97t(

:#;z;

.text$x

;3;C;

R!s4Z

2!2N2

.\%s\%s.mui

type="win32"

SetFileAttributesW

.xdata$x

%s\%s\%s.mui

GetModuleHandleW

<*<5<:<V<n<

Failed to find the servicing stack path in the image. HRESULT=%X

Failed to lowercase the Help Topic:%s. HRESULT=%X

.?AV?$CComObject@VDISMEventHandler@@@ATL@@

For more information, refer to the help by running DISM.exe /?.

Ensure that the path to the log file exists and that you have Read/Write permissions on the folder where the log files will be created.

.CRT$XLZ

545<5T5\5t5|5

.giats

Executing DISM against a downlevel image. Calling %s

/Image:<path_to_offline_image>

Run DISM with a command-line option specified, such as /Image or /Online. For more information, refer to the help by running DISM.exe /?.

DriverManager

Failed to create a new command object.

DeleteFileEx: Unable to allocate memory for the full path name; GLE = 0x%x

<;<F<K<j<

2$2,282X2d2l2

>0L0b0

OriginalFilename

win:Start

WinDir,Specifies the path to the Windows directory.>

Ch0@@

;2;=;B;^;r;

>(>8>D>L>

= =2=A=L=Q=y=

$Microsoft Ireland Operations Limited1

No providers were found that support the command(%s). HRESULT=%X

;(;;;c;

8$8,848<8D8L8T8\8d8l8t8|8

9 949^9w9

level="asInvoker"

GetFullPathNameW

DismHost process encountered and error and shut down. HRESULT=%X

4$404P4X4d4l4

Y__^[

Format

Wh8^@

GetFileType

An invalid log level was specified.

Failed to set the system path to '%s'. HRESULT=%X

S Suppresses restart prompting.

CloseHandle

@.reloc

Failed to make the name of the help topic lowercase.

?&?P?l?w?~?

Target image information: OS Version=%s, Image architecture=%s

Example:

94989P9T9l9p9

z.9Wv

LoadResource

_purecall

0&0/0H0V0

The /image option cannot be used with a local provider command

If not specified, it defaults to "Windows".

GetSystemTimeAsFileTime

CDismWrapper::GetLocalProvider

<,<4<<<D<L<T<\<h<p<

(0Q0r0

__p__fmode

WinDir

SeShutdownPrivilege

8'949Q9

Ensure that /? is the last option listed on the command-line.

*******************************************************************************************************

Failed to create the image object at '%s'. HRESULT=%X

;.;6;K;T;Y;v;

Failed to register the command.

Could not check whether the command is valid. HRESULT=%X

ZhHi@

.?AV?$CComCoClass@VCTokenCollection@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

6'6B6]6x6

SetUnhandledExceptionFilter

1 = Errors only

RtlFreeHeap

.text

<h=t=

;_;t;

[%58s]

SssGetServicingStackFilePath

pkgmgr.exe

8(8<8P8d8l8t8|8

:$:,:4:<:D:L:T:\:d:l:x:

.rdata$brc

tZhP+@

0$040I0\0z0

0D0_0j0o0

Failed to get the footer text for the help item registered to the topic (%s). HRESULT=%X

A path and file name were not specified for the /LogPath option.

DISM doesn't recognize the command-line option "%1".

Failed to get the folder provider from the local provider store. HRESULT=%X

QSWh`*@

CDismWrapper::AddProviderCommands

Ensure that the DISM binaries are present and that you have Read permissions on the folder.

For more information about these DISM options and their arguments, specify an

/Export-Driver /Destination:<path_to_destination_folder>

ScratchDir

Microsoft-Windows-Dism-Cli/Analytic

(0Q0\0m0x0}0

LocalAlloc

.idata$4

1$1,141<1D1L1T1\1d1l1t1|1

CHelpHandler::AddProviderHelpItems

1@2S2^2c2x2

;*;1;I;b;o;v;

CHANh

CDismWrapper::ExportDriver

.rdata$T$brc

Failed to set the scratch directory to [%s]. HRESULT=%X

3 3(30383@3H3P3X3`3h3p3x3

__dllonexit

5,545<5D5L5X5`5x5

Failed to get the provider name from the registration information. HRESULT=%X

VERSION.dll

7#7.7F7Q7V7m7

Specify an image to see relevant help topics, using either the /Image or

6M6o6

:u`h4N@

InitializeSecurityDescriptor

Failed to get the provider(%s) from the provider store. HRESULT=%X

scratchdir

2$2<2D2\2d2l2t2|2

Failed to recursively call GetHelp() with topic (%s). HRESULT=%X

ImageaSpecifies the path to the root directory of an

wprintf

0(00080@0H0P0X0`0h0p0x0

545<5T5\5t5

?8?@?H?X?`?

No providers can service the image found at '%s'. HRESULT=%X

=6=H=S=X=m=

2(313:3A3H3Q3Z3v3

Microsoft Corporation1-0+

Failed trying to determine windows directory of online systsem. HRESULT=%X

%s\%s

Failed to get the top-level command string from the token. HRESULT=%X

GetFileVersionInfoExW

767Q7d7w7}7

bad allocation

(Y/N) $Exporting %1!d! of %2!d! - %3!s!: %0/The driver package were successfully exported.

2$2)2F2Y2f2q2v2

SetLastError

Restart suppressed by /NoRestart command line switch.

.rsrc$01

u0h43@

~0j8WV

Dism Image Servicing Utility

cbscore.dll

SysDriveDirWSpecifies the path to the system-loader file named

The operation completed successfully.

Failed to convert the system path to an absolute path. HRESULT=%X

798c8s8x8

.idata

<%<*<T<s<~<

>0>O>Z>_>{>

5$5,545L5P5l5p5

InitializeAcl

Failed to get a provider from the provider collection. HRESULT=%X

%2.1f%%

GetSecurityDescriptorDacl

<#<+<4<@<V<`<h<p<

242H2\2p2

GetTraceEnableLevel

Failed to get the name of the help topic.

Thales TSS ESN:E041-4BEE-FA7E1%0#

_CxxThrowException

GetSystemWindowsDirectoryW

9":S:]:i:

values are:

u<Vh4

LeaveCriticalSection

.?AV?$CComCoClass@VCDISMHelpItem@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

u6j:S

Wh8_@

Failed validating command line: %s

<*<Y<b<

GetTraceLoggerHandle

50565J5b5

%s does not support command lines.

Image session has been closed. Reboot required=%s.

QhL,@

.?AVexception@@

180823202649Z

_controlfp

687C7H7Z7$8/848F8

DISM.exe /Image:C:\test\offline /Apply-Unattend /?

.text$yd

5&51565J5

CreateDirectoryW

:V:v:

nFailed to parse the command line.

9#9F9Q9V9c9o9

.?AV?$CComObject@VCTokenCollection@@@ATL@@

For more information, refer to the help by running DISM %1 /?.

6@6T6[6l6

2(282H2X2h2x2

Failed to create a new command collection.

Restarting the computer...

The %1 option is unknown.

CDismWrapper::LoadImageSession

@.rsrc

An error occurred while processing the command.

AcquireSRWLockExclusive

LegalCopyright

3 3(3L3T3\3d3l3t3|3

CHelpHandler::RegisterHelpItems

ATL$__a

=$=1=6=I=T=Y=

2 2(20282@2H2T2t2|2

Failed accessing Windows directory property. HRESULT=%X

9_Hu-

DismCliRun

3)44494l4

4$5F5

M0K0I

Command map and provider store not initialized correctly.

Failed to verify the target image at '%s'. HRESULT=%X

</file>

The %1 option does not take an argument.

<5<H<W<

w2t,-L

HeapDestroy

.rdata$zzzdbg

Phh-@

4@4k4

GetDriveTypeW

realloc

.rdata

9O:o:z:

6\7t7

=!=M=c=w=

4-484=4Y4f4z4

;s<~<

Failed to get the category flag for topic(%s). HRESULT=%X

.?AVCFolderImageInfo@@

>$>,>4><>D>L>`>t>

6D7O7n7

BootMgr.A

9 :;:E:L:s:~:

=!='=1=?=M=T=Y=_=e=k=q=

wcsstr

3G3R3W3l3

687C7H7\7

Failed to append path %s

IsWow64Process

0W1m1

Image session version: %s

Elevated permissions are required to run DISM.

%Microsoft Windows Production PCA 20110

The command-line is missing a required servicing command.

2:2N2T2[2t2

:(:A:a:l:q:~:

WaitForSingleObject

CDismWrapper::ConfigureOSServices

Failed to get command collection from %s.

4=4\4g4l4

Online

OpenProcessToken

CDismWrapper::TryExecuteAdditionalCommand

=i=t=

>$>,>4><>D>L>T>\>d>l>x>

?+?6?G?R?W?n?

FindResourceExW

=->8>=>S>t>

0#0(0<0U0`0e0s0

memcpy

.idata$3

CDismWrapper::CloseSession

261019185142Z0

Try reinstalling DISM.

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

Microsoft Time-Stamp service

_ftol2

EnumeratePathEx: Unable to enumerate [%s]; GLE = 0x%x

0)0?0N0X0

SetErrorMode

WdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%x

0=0H0M0b0

Failed getting the option and arg from token.

j:Xf;F

4#484e4p4u4

Failed creating path string to ssshim.dll. HRESULT=%X

Shpu@

string too long

"Microsoft Window

6;7h7

; ;A;\;

ScratchDir*Specifies the path to a scratch directory.!

ExpandEnvironmentStringsW

SssBindServicingStack

An error occurred while initializing COM security.

SearchPathW

To service the running operating system, use the /Online option. For more information, refer to the help by running DISM.exe /Online /?.

Export-DriverwExport all third-party driver packages from an

Failed to retrieve the command registration information for the command(%s). HRESULT=%X

LEVL@

__setusermatherr

??0exception@@QAE@XZ

HeapFree

If not specified, it defaults to 3 (maximum logging).

invalid string position

_except_handler4_common

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

Mount the image locally and run DISM again.

Failed accessing offline image property. HRESULT=%X

KEYW<

GetTickCount

.?AVCDISMHelpItemCollection@@

CopyDirectoryDirCallback: The copy was canceled by the user.

Failed to release the command table for the image session. HRESULT=0x%x

5>5J5s5

9$9D9L9T9\9d9p9

:4:h:u:z:

user32.dll

.CRT$XIY

.?AV?$IDispatchImpl@UIDismTokenCollection@@$1?IID_IDismTokenCollection@@3U_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@

Failed to register help for the image provider store.

.?AUIDismHelpItem@@

7,7t7

<p<1=

SetConsoleCtrlHandler

9-979

WEVT_TEMPLATE

=)=.=@=I=

?$?,?d?x?

1*1m1

y-9>t

EnumeratePathEx: Unable to construct path under [%s]; GLE = 0x%x

DISM.exe /Mount-Wim /?

0!1(1

Dism.pdb

MultiByteToWideChar

9#9*999Y9d9{9

F4VPh

tIVS3

3 = Errors, warnings, and information

GetSecurityDescriptorSacl

262=2I2P2

EventSetInformation

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

NoRestart0Suppresses automatic reboots and reboot prompts.

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

DeleteFileEx: Unable to get full path name on [%s]; GLE = 0x%x

5.6Z6s6~6

GetFileVersionInfoSizeExW

7,7@7T7h7|7

.?AV?$CComObject@V?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismToken@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@ATL@@@ATL@@

OutputDebugStringW

SssGetServicingStackFilePathLength

UnregisterTraceGuids

?4?<?D?L?X?`?x?

5#6<6v6

DISM.exe /Image:C:\test\offline /loglevel:1

K9b5N

OLE32.dll

:4:`:

advapi32

DISM.exe /Image:C:\test\offline /Format:Table /Get-Drivers

uiAccess="false"

Deployment Image Servicing And Management CLI

.rdata$sxdata

Failed to get driver package count. HRESULT=%X

z+mF0

Unknown command table type specified. [%d]

Unable to automatically restart Windows.

DISM.exe /Online /norestart

Getting the help information collection for the provider: %s.

727;7K7`7i7

Failed initializing a token. HRESULT=%X

Failed to write the help text for the topic: %s.

.?AVCAccessAce@CDacl@ATL@@

User accepted the restart. Restarting the computer...

GetMessageStringBSTR failed (hr:0x%x).

A error occurred while initializing the DISM event reporting component.

Failed to get the dmi provider. HRESULT=%X

is %%windir%%\Logs\DISM\dism.log.

<$<(<,<D<H<\<`<x<|<

An error occurred while creating the log file.

; ;4;<;D;L;T;`;h;

Wh(w@

90u)Q

$`2X`F

0$0<0D0L0d0l0

.CRT$XCAA

t$j\Xf;DS

ADVAPI32.dll

norestart

DISM.exe /Online /?

WdsRemoveDirectory: Unable to clear attributes on [%s]; GLE = 0x%x

%d.%d.%d.%d

.00cfg

on the image being serviced and whether the image is offline or running.

_wcsicmp

FreeLibrary

4 484<4T4X4p4t4

6-666Y6e6p6

?$?1?

<----- Starting Dism.exe session ----->

http://www.microsoft.com/windows0

/Format:<output_format>

7)7Z7j7q7

262L2e2{2

CompanyName

213L3g3

GetCurrentThreadId

j\Yuk

SssPreloadDownlevelDependencies

:$;,;4;@;H;|;

DISM Command Line

SssReleaseServicingStack

868A8F8b8o8z8

Failed to close the image session. HRESULT=%X

?$?4?8?<?T?X?l?|?

calloc

4-4=4B4Z4y4

=$=f=z=

CDismWrapper::ValidateDismTarget

GetProcessHeap

An error occurred while accessing the temporary directory.

Sleep

4 4%494G4h4

offline image or a running operating system.

ConfigTopLevelHelp

English(Displays command line output in English.

<!<.<J<d<

Failed to get build the command table for the local provider store.

Ph4N@

uvh0+@

Failed to get downlevel provider. HRESULT=0x%X

60696

For more information, review the log file.

2F2O2h2

</security>

)Microsoft Root Certificate Authority 20100

Failed to get the unattend folder path.

4,4k4y4

2#2,212a2{2

showtags

RegOpenKeyExW

iswalpha

<assemblyIdentity

3 3%3L3g3r3w3

Failed to initialize the help handler.

.?AV?$IDispatchImpl@UIDismHelpItemCollection@@$1?IID_IDismHelpItemCollection@@3U_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@

2'2;2

GetSidLengthRequired

6"646=6w6

FindFirstFileW

_wcsnicmp

.?AUIUnknown@@

>/?G?b?m?v?

LockResource

3 3<3D3L3T3\3d3l3t3|3

SetSecurityDescriptorDacl

.?AVCTokenCollection@@

:!;<;G;L;^;g;

=8=S=c=j=

FindNextFileNameW

>>>F>M>W>d>m>w>

WdsRemoveDirectory: Unable to remove directory [%s]; GLE = 0x%x

.?AUISupportErrorInfo@@

CopyDirectoryFileCallback: The copy was canceled by the user.

SetSecurityDescriptorOwner

= =(=@=D=\=`=x=|=

Ensure that the local DISM binaries exist and that you have Read permission on the folder.

Dism.exe version: %s

.?AUIDispatch@@

|hK,_

7&7<7

%s\%s.mui

wcsrchr

4*4g4

Specifies the path to the directory of the bootmgr file. If not

Failed accessing SystemPath property. HRESULT=%X

Compatibility Manager

DISM.exe /Image:C:\test\offline /?

ImageSpecificationTopLevelHelp

6(6<6P6d6x6

Succesfully registered the Help Item with topic(%s) and category(%s) for the provider(%s).

`SVW3

=hHf@

Version: %1

Failed looking up the privilege HRESULT=%X

:*:>:D:K:_:

7O8i8

>5>@>E>Z>

To retrieve help, do not specify a command-line option with an argument.

Failed restart attempt with HRESULT=%X

=$=@=]=y=

Failed to convert the windows path to an absolute path. HRESULT=%X

; ;$;<;@;T;X;p;t;

Failed to create event sink for dism. HRESULT=%X

Could not set configuration settings. HRESULT=%X

_callnewh

1<2p2

j Yf;

;^<l<y<

250701214655Z0|1

__set_app_type

/Image:<path_to_offline_image> [/WinDir:<Windows_directory>]

FindFirstFileNameW

DISM.exe /Image:C:\test\offline /SysDriveDir:C:\

Image Version: %1!s!

8o8z8

5$5<5D5\5d5|5

4!4<4H4X4b4}4

040904B0

919F9a9k9

Failed to get the folder to the running executable. HRESULT=%X

u$WSQ

\System32\Dism

:,:@:H:P:\:d:

2Q2\2a2x2

.rdata$zETW2

SizeofResource

8#8*80868y8

CreateFileMappingW

229879+4379540

\System32\SsShim.dll

5D6m6

>0>K>x>

.?AV?$CComCoClass@VCDISMHelpItemCollection@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

DismCliLoadDism

.?AVbad_alloc@std@@

DISM OPTIONS:

7 747<7D7L7`7h7p7x7

;;;Z;e;j;

Specifies the output format of a report. The option has no effect when used

t:j\P

DESCRIPTION:

CreatePath: Unable to create [%s]; GLE = 0x%x

Failed to get the %d item from the command collection.

1a1i1o1

1/171<1A1c1i1p1u1

Specifies a temporary directory to be used for extracting files for

Failed opening the process token HRESULT=%X

2D2b2k2x2

FolderManager

191123202649Z0

An error occurred while attempting to start the servicing process for the image located at %1!s!.

1[1s1

ReadFile

GetAclInformation

WideCharToMultiByte

?.?8?

CDismWrapper::ShowHelp

VarFileInfo

999R9i9

An error occurred accessing the DISM binaries on the host system.

5=5V5b5m5r5

DISM.exe /Image:C:\test\offline /Format:List /Get-Features

CreatePath: Unable to create parent directory for [%s]; GLE = 0x%x

</requestedPrivileges>

The %1 argument given for the %2 option is invalid.

1(1F1Y1w1

~(9~0t

_vsnwprintf

3*4_4k4

5#595i5t5y5

DeleteFileEx: Trying to set back attributes on: %s

Specifies that the operation is to be performed against the running Windows

Specifies the maximum output level shown in logs. The accepted

An error occurred while attempting to access the image.

and packages in Windows images. The commands that are available depend

CreateFileW

DISM does not support servicing Windows Vista or Windows Server 2008 with the /Online option.

111R1s1

An error occurred while accessing the DISM binaries in the image.

<requestedExecutionLevel

%s - %s(hr:0x%x)

An initialization error occurred while accessing the path to the offline image.

CDismWrapper::ExecuteCommandForDownlevel

An error occurred closing a servicing component in the image.

QhhB@

;%;I;W;

Invalid command-line.

.?AVCToken@@

2=2K2X2^2d2w2

Ensure that the image path is correct and that you have Read permissions on the folder.

.?AVCAcl@ATL@@

WhhF@

:(:9:N:Y:^:

FormatMessageW

>#?B?d?~?

An error occurred while initializing the log file.

provider

CoUninitialize

For more information, refer to the help by running DISM.exe /Online /?.

The %1 option has been duplicated on the command-line.

10.0.17763.1 (WinBuild.160101.0800)

sysdrivedir

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

Failed to test the image path. HRESULT=%X

DeleteCriticalSection

;$;6;c;n;s;

RaiseException

5$6u6{6

/%-22s - %s

The destination path %s does not exist.

external

Failed to get the local provider store. HRESULT=%X

Turns off information and progress output to the console.

EhHg@

Failed adding tokens to the collection. HRESULT=%X

Shl?@

Oh43@

<----- Ending Dism.exe session ----->

.CRT$XLA

0)0.0U0q0|0

=-=C=c=o=z=

.0E0P0U0i0

{servicing_command} [<servicing_arguments>]

DISM.exe /Image:C:\test\offline /English /Get-DriverInfo /Driver:oem0.inf

DISM.exe /Online /?

Example:

6,777<7i7

767Q7l7

HeapReAlloc

GetLengthSid

1D1d1o1t1

<"<u<

GetStdHandle

20180915010239.388Z0

Microsoft Corporation1200

Failed to get the provider '%s' from the local provider store. HRESULT=%X

In order to complete the changes, a restart is required.

The DISM process encountered a problem and shutdown.

DISM cannot service an image on a network path.

WriteFile

Washington1

t SSSj

name="Dism.1"

)Do you want to restart the computer now? (

Windows failed to restart.

Example:

Specifies the path to the DISM logfile. If not specified, the default

x^jlj

Succesfully registered commands for the provider: %s.

Information

Failed to get the version of the image session. HRESULT=%X

Failed to access the system drive folder.

.?AVCSecurityDesc@ATL@@

8R9x9

Operation was incomplete because of a cancel request.

OnCliOutput event failed (hr:0x%x).

installation.

The DISM log file can be found at %1

5"5D5O5b5m5

:2;=;C;K;R;`;g;l;

:0:4:L:P:h:x:

3(373

Ph4B@

WhPs@

uGf9G

An error occurred while parsing the command-line options specified.

The %s option is not a valid command.

>)>W>z>

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

__wgetmainargs

ReleaseSRWLockExclusive

1$1)1;1D1{1

20180915065200Z

Attempting to cancel the operation...

j\Xf9F

Failed getting the token collection count.

5)535O5`5k5p5

GetTraceEnableFlags

.?AU?$CAtlValidateModuleConfiguration@$0A@VCConsoleModule@@@ATL@@

Do not use the /Image or /WinDir option when using the /Online option to specify a running operating system.

QueryPerformanceCounter

Unable to allocate string resource. HRESULT=%X

NtSetInformationFile

>'?2?7?K?x?

=.=9=>=O=p={=

5 5(5054585@5X5\5t5x5

msvcrt.dll

< <(<4<<<p<x<

StringFileInfo

2^2i2n2

Failed to get the provider store for the image at '%s'. HRESULT=%X

5D5f5z5

0&080D0J0Q0Z0`0h0n0{0

-h8e@

1 1,191U1]1

If the operating system is supported check that SSShim.DLL is present.

CLI is processing /export-driver command.

If not set, the temporary directory will be used.

Failed to make the name of the help category lowercase.

.?AV?$CComObject@V?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismHelpItem@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@ATL@@@ATL@@

/Quiet

NoRestart

Microsoft Time-Stamp service0

9(9<9D9L9T9\9h9p9

1f;2u

?"?,?

Failed to get the top-level command from the token collection. HRESULT=%X

GetSecurityDescriptorGroup

.text$mn

3 3$303P3\3h3

?M?|?

DISM.exe /Image:C:\test\offline /Format:Table /Get-AppPatches

4K9S9]9c9n9u9z9

The target image version is: %u.%u.%u.%u.

WdsCopyFileEx: Failed to delete %s. GLE = 0x%x

logpath

767S7v7

CDismWrapper::BuildCommandTable

%s processed the command line but failed. HRESULT=%X

SysDriveDir

\\?\UNC

Invalid command line option: Offline image specified is the running system.

LogLevel2Specifies the output level shown in the log (1-4).

9A9H9T9

QhTh@

Failed to load %s. Try running from the Deployment Tools Command Prompt. If the issue persists, ensure that wimgapi.dll and wimserv.exe are up to date.

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

Failed to get the header text for the help item registered to the topic(%s). HRESULT=%X

arm64

.?AVDISMEventHandler@@

%s%s%s

j\Zf;TN

EventWriteTransfer

WdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u ms

8$8,848@8`8l8t8

1@1j1

DismCliCloseSession

<C<I<n<

9!:+:B:V:o:

^`h`@@

Failed to add the Help Category(%s) to the CategoryMap.

0)0.0[0z0

<J=U=Z=r=

GetFileInformationByHandle

Failed to query the OSServices provider for the image state. HRESULT=%X

Failed to create the token collection instance. HRESULT=%X

Failed to register the DISM CLI commands.

2)252H2X2c2h2

Failed to get the help text for the topic: %s.

.?AVCDacl@ATL@@

The /Image option cannot be used in this context.

For more information, refer to the help by running DISM.exe /Image=<path_to_offline_image> /? where <path_to_the_offline_image> is the full path to an offline Windows image.

2$2/242H2i2t2y2

2%202@2E2^2}2

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

EventActivityIdControl

iSHp6

ImageTopLevelHelp

.rdata$zETW1

PRVAL

Microsoft-Windows-Dism-Cli

7$7,7D7L7T7\7t7|7

.?AUIDismHelpItemCollection@@

848L8d8l8t8|8

.?AUIDismEventManager@@

GetModuleFileNameW

IMAGE SPECIFICATIONS:

>!>&>;>

Image

DismCliLoadImageSession

t[VW3

91:Q:X:_:z:

1+1J1U1Z1v1

Failed to get the collection of providers from the provider store.

Specifies the path to the Windows directory relative to the image path.

.?AVCImageInfo@@

An error occurred while processing the command-line options.

.CRT$XCA

DriverTopLevelHelp

Make sure that the image path and the Windows directory for the image exist and you have Read permissions on the folder.

uvh`*@

support this option. The accepted values for <output_format> are:

KERNEL32.dll

Table = Displays the report in a table.

;:;H;^;y;

,0004080<0D0p0t0

Only error messages will be displayed.

5*62676t6~6

DISMCLI

3,373<3J3W3

Attempting to write log message before LogWrapper has been fully initialized.

.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@

??1type_info@@UAE@XZ

UnhandledExceptionFilter

A destination path must be specified.

EventUnregister

2;2_2o2t2

TASK0

wcscpy_s

U0S0Q

GetVersionExW

MapViewOfFile

The destination path %1!s! does not exist.

_wcslwr_s

VS_VERSION_INFO

DISM.exe /Image:C:\test\offline /quiet

Displays command line output in English.

0&0.080=0o0z0

.?AVCSid@ATL@@

DISM.exe /Image:C:\test\offline /?

4$4,4D4\4t4|4

Failed to get target image version. HRESULT=0x%X

.CRT$XCZ

InvalidHelpTopic

CDismWrapper::TryExecuteCommand

dE7,:

Error: %1!d!

No destination path is given.

7'7R7

.?AVCComObjectRootBase@ATL@@

SendMessageW

ImageTopLevelHelp9

Examples:

=#=.=8=M=Z=a=i=r=z=

.data

Failed to get the count from the provider collection. HRESULT=%X

2$2<2P2d2x2

DISM does not support servicing Windows PE with the /Online option.

3 3$3(3,30343<3@3D3H3L3P3T3X3\3`3h3l3p3t3|3

LogPath

User declined the restart.

-bK|.NR

Failed to add commands from %s.

InitializeSid

memset

The directory %1 does not appear to be a valid Windows directory.

Wait a few minutes and try running the command again.

2 = Errors and warnings

quiet

t:SSSj

DeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%x

GetProcAddress

0,141<1D1L1T1\1d1p1

Failed restarting the computer with HRESULT=%X.

6'62676L6

An error occurred while locating the DISM binaries. DISM is attempting to locate dismcore.dll.

/ScratchDir:<path_to_directory>

ProductName

6#6-6I6P6\6c6j6z6

The file %1 does not appear to be a valid DLL.

8+8N8q8

Microsoft Corporation1.0,

3(3/3L3V3a3i3o3

Unable to access the image.

.idata$6

Failed to bind to ssshim.dll at path %s. HRESULT=%X

;4;<;D;P;X;

.?AVCConsoleModule@@

j:Xf9C

<1<A<K<a<p<v<

Invalid parameter passed to C runtime function.

?$?q?|?

No help topic could be found for the %1 option.

.?AVCAce@CAcl@ATL@@

.?AV?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismHelpItem@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismHelpItem@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@ATL@@

7"8-8C8l8

AddAce

Ensure that the command-line arguments are valid. For more information, review the log file.

<:<D<N<X<g<n<|<

Remove the duplicate option and try the command again.

Ph@@@

0(13181L1l1z1

555p5

j\Zf;

/LogPath:<path_to_logfile>

Attempting to add the commands from provider: %s

1 1<1D1L1T1\1

>.>N>Y>p>

FileVersion

HeapSize

Failed to register help for the local provider store.

Examples:

Failed while copying directory %s

.?AVlength_error@std@@

Microsoft Corporation1&0$

IsValidSecurityDescriptor

; ;4;<;D;P;X;p;

1(0&0

180703204550Z

>,>0>D>T>X>h>l>p>

/export-driver only accept /destination argument.

GetConsoleMode

english

>R>Y>c>l>

3"3(353=3D3P3U3[3d3j3r3

List = Displays the report in a list of name/value pairs.

$Microsoft Ireland Operations Limited1&0$

;&;*;.;2;6;:;>;B;F;J;N;R;V;Z;^;e;~;

2$3/343N3{3

memcpy_s

nSsShim.dll

SetFilePointer

2&3C3f3$484

DISM.exe /Image:C:\test\offline /WinDir:Win

DismCore.dll

3+3`3h3

Registering information from the help collection from provider: %s.

CoInitializeSecurity

/Online command-line option:

1(111N1j1|1

DISM.exe /Image:C:\test\offline /Format:Table /English /Get-Packages

Failed to get the count of commands in the collection from %s.

6$6<6@6X6\6t6x6

>(>X>s>

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

DISM.exe [dism_options] {Imaging_command} [<Imaging_arguments>]

5.5T5_5d5

MakeAbsoluteSD

4 4t4x4

Unable to access the System directory for the specified image.

VerQueryValueW

specified, it defaults to the offline image path.

4,444<4D4L4T4`4h4

PPPPP

ttVh`*@

EventRegister

?9?D?O?T?q?

\SysWOW64

Deployment Image Servicing and Management tool

DownlevelTopLevelHelp

243H3X3h3t3|3

Failed while trying to QI provider:%s.

CoInitializeEx

:?:v:

SYSTEM\CurrentControlSet\Control\MiniNT

?4?<?T?\?d?l?

<D<^<g<

1!2B2K2i2

y@j@j

.?AVout_of_range@std@@

.?AUIEnumVARIANT@@

,kH74sLPAqAVw0ufoXcaoCXZvg4Ek8BcTJ1O8n4TwE9Y=0Z

9-9M9X9]9|9

HeapAlloc

<K<`<

0<0P0d0l0t0|0

;C<N<S<h<

?H?Z?j?p?x?~?

DISM.exe /Image:C:\test\offline /logpath:C:\LogFiles\dism.log

The %1 option is missing a required argument.

globalroot

y_9>tK

>2>V>

.data$brc

InternalName

Failed to mount the image at '%s'. HRESULT=%X

ExitCode_DismCliRun

malloc

4$5I5U5r5

DISM.exe /ScratchDir /?

loglevel

5*5/5V5q5|5

.rsrc$02

6B7R7b7r7|7

j Xf9

_unlock

j-Yf;

5P6l7

>(>Z>c>{>

For more information, refer to the help by running DISM.exe /WinDir /?.

en-US

1(4|4

FindNextFileW

OLEAUT32.dll

kernel32.dll

PWh .@

.text$di

4"4'494B4s4

FindClose

j\Xf9C

919B9H9

Windows

5%50555F5S5

Failed to setup logging parameters. HRESULT=%X

GetCurrentProcessId

table

3"3-323G3f3q3v3

I0G1-0+

.rdata$zETW0

Failed to get the name of the command.

DISM does not support servicing a Windows Vista RTM or earlier operating system.

14181<1X1x1

Failed to add any commands.

999D9I9[9

Failed to get file name from full path %s

2<2C2V2

>?usf9F

0h(O@

282s2

4"4'494B4v4

WriteConsoleW

LocalTopLevelHelp

.?AV?$CComObject@VCDISMHelpItemCollection@@@ATL@@

export-driver

An error occurred while loading DISM. The DISM tool may be corrupt.

windir

Host machine information: OS Version=%u.%u.%u, Running architecture=%s, Number of processors=%d

Driver COMMANDS::

Failed to release the command table for the local image session. HRESULT=0x%x

d6 Count %d HRESULT=%X

ssshim.dll

=$=,=4=<=D=L=X=`=|=

0)0<0`0

Failed to copy to location of the system directory. HRESULT=%X

>$>,>4><>d>l>t>|>

:$:X:`:h:t:|:

ShTn@

6hPC@

:9:D:_:

.?AV?$ICollectionOnSTLImpl@V?$IDispatchImpl@UIDismTokenCollection@@$1?IID_IDismTokenCollection@@3U_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@V?$list@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@@std@@@std@@PAUIDismToken@@U?$_CopyItfFromAdaptItf@UIDismToken@@@@V?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismToken@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@2@@ATL@@

4A4s4~4

.CRT$XIZ

Shxb@

An initialization error occurred.

+0<0`0

Export all third-party driver packages from a Windows image to a destination path.

0 0N0U0^0

4:4U4c4t4|4

DllGetClassObject

!This program cannot be run in DOS mode.

.?AV?$CComObject@VCDISMHelpItem@@@ATL@@

volume{

8+8:8E8J8a8

CHelpHandler::Initialize

&h K@

Ensure that the file has not been corrupted.

OPCOT

api-ms-win-eventing-provider-l1-1-0.dll

tJj:Xf9C

with a command that does not generate reports, or a command that does not

DISM.exe /Image:C:\test\offline /Get-Packages

CopyDirectoryEx2: Specified directory [%s] doesn't exist

Redmond1

8'82878N8v8

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

.?AV?$CComObjectRootEx@VCComMultiThreadModel@ATL@@@ATL@@

For more information, refer to the help.

.?AV?$CAtlExeModuleT@VCConsoleModule@@@ATL@@

7$787L7`7t7|7

4D4T4`4h4

Failed to get build the command table for the image provider store.

=*=N=Y=^=

USER32.dll

:+:X:

9 949H9\9p9

EnumeratePathEx: Failed search path is >= MAX_PATH!

get-help

Restart Windows to complete this operation.

For more information about these servicing commands and their arguments,

20180916065200Z0w0=

tWVPj

808D8b8m8r8

CopyDirectoryFileCallback: Unable to %s file from [%s] to [%s]; GLE = 0x%x

;.;f;

7K7k7v7{7

This is the path to the root directory of the offline Windows image.

r~akow

EnterCriticalSection

.CRT$XCU

Failed to copy option and argument strings (hr:0x%x

8W8t8

Ensure that the path to the directory exists and that you have Read/Write permissions on the folder. For more information, refer to the help by running DISM.exe /ScratchDir /?.

_errno

8L9`9t9|9

For more information, refer to the help by running DISM.exe /LogLevel /?.

=*=/=K=j=u=z=

9^<us3

"<>|*?:

.?AV?$IDispatchImpl@UIDismToken@@$1?IID_IDismToken@@3U_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@

6#6U6n6

5,5A5d5

>%>C>

-h8N@

\System32

oK0D$"<

Error: 0x%1!x!

GetCurrentProcess

Quiet0Suppresses all output except for error messages.

<&<-<5<;<E<U<\<f<

win:Stop

;(;3;8;O;j;u;z;

_vscwprintf

7"858C8Q8

advapi32.dll

online

}}H<&

Examples:

LocalFree

7%7E7\7

.?AV?$IEnumOnSTLImpl@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismToken@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@@std@@@std@@@ATL@@

%hhd@

7?8r8

</assembly>

Exporting driver %s.

Translation

;%;*;?;a;l;q;

OSServices

%-40s

>!?>?

Invalid command-line argument.

<description>Windows deployment image servicing and management tool</description>

ATL$__z

;,<4<<<H<P<

Invalid command-line option "%1".

Got the collection of providers. Now enumerating them to build the command table.

/NoRestart

/Image:<path_to_offline_image> [/SysDriveDir:<path_to_bootmgr>]

Failed to retrieve out of box drivers from image. HRESULT=%X

4 = All the above and debug output

4,474<4J4W4

Logging is disabled: Unable to obtain access to the log file %1!s!.

RegisterTraceGuidsW

wcsncmp

DISM.exe /Image:C:\test\offline /Export-Driver /Destination:C:\destpath

Unable to find the Windows directory in the running Windows installation.

5'6<6G6L6s6

GetTempFileNameW

LogLevel

ProductVersion

api-ms-win-eventing-provider-l1-1-0

__p__commode

; ;j;

6#797\7g7l7

__CxxFrameHandler3

Failed adjusting token privilege HRESULT=%X

_onexit

IsValidSid

.CRT$XIAA

CDismWrapper::CheckForOSServices

2$2*282U2h2

Windows

amd64

7 74787H7X7\7`7x7|7

8&9A9\9w9

Ensure that the /WinDir option that is specified is valid. For more information, refer to the help by running DISM.exe /WinDir /?.

Failed to get the IDISMOSServiceManager interface. HRESULT=%X

=L9o<

2W3i3}3

.idata$2

0 0D0L0T0`0h0

.CRT$XCL

1/0-0

CHelpHandler::GetHelp

?what@exception@@UBEPBDXZ

<$<<<P<X<`<l<

=W=h=

InitiateSystemShutdownExW

.tls$

?0?J?b?

DismCliExecuteCmdLine

sev`3

46.,^Sv

LookupPrivilegeValueW

1Z1a1

.gfids

.?AV?$CComEnumOnSTL@UIEnumVARIANT@@$1?IID_IEnumVARIANT@@3U_GUID@@BUtagVARIANT@@U?$_CopyVariantFromAdaptItf@UIDismToken@@@@V?$list@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@V?$allocator@V?$CAdapt@V?$CComPtr@UIDismToken@@@ATL@@@ATL@@@std@@@std@@VCComMultiThreadModel@ATL@@@ATL@@

190726204550Z0p1

Operating System

8<8[8f8k8

N0L0J

DismCliEvent

7$7/747H7

7C8L8`8l8

Try running DISM again.

.?AV?$CComCoClass@VCToken@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

GetModuleHandleExW

6G7T7l7|7

90:K:f:

Quiet

RtlGetVersion

ik>su

=<=D=L=X=x=

_cexit

:J;[;

Failed to set the windows directory to '%s'. HRESULT=%X

.?AV?$CComCoClass@VDISMEventHandler@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

GetSecurityDescriptorOwner

Failed to get the driver inf path from the package.

This is the path to the root directory of the offline Windows image.

1+1M1|1

;4<h<

No DISM options were specified on the command-line.

> >.>`>

<Y=f=z=

Qh -@

>6>A>F>e>

DISM failed. No operation was performed.

6$6D6T6l6|6

GetLastError

EventWrite

image

_amsg_exit

?terminate@@YAXXZ

This option cannot be used with the /Online option.

6!6'62686D6T6]6x6

>=>D>N>d>

3&3/3;3i3

Failed to get underlying collection class.

English

4(4h4o4w4

Start

\\?\UNC\

V(_^[

Unknown

Qh,,@

j\Zf;Ty

2*353:3c3z3

5!5&5?5J5Z5_5s5

Use an elevated command prompt to complete these tasks.

??1exception@@UAE@XZ

6,6@6T6\6d6l6t6|6

GetSystemInfo

DISM enumerates, installs, uninstalls, configures, and updates features

CopySid

DISM.exe /Image:C:\test\offline /Get-Features /?

?P?c?n?s?

:k:t:}:

specify a command immediately before /?.

WdsRemoveDirectory: Unable to prepare path [%s]; GLE = 0x%x

0$080L0T0\0d0l0t0|0

3E3e3p3u3

RegCloseKey

Could not load the right ssshim.dll inside %s; trying to side-load it.

Yh`*@

Failed to write preamble text to stdout. HRESULT=%X

The following commands may be used to service the image:

RtlAllocateHeap

=$=,=D=\=t=|=

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x00400000	0x000222e0	0x0003ba8e	0x0003ba8e	10.0	Dism.pdb	2035-02-27 08:51:33	b797727f0b32d9e005d5265580a4eb17

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Dism Image Servicing Utility
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	dism
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	DISM.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000287d8	0x00028800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.97
.data	0x00028c00	0x0002a000	0x00001d88	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.78
.idata	0x0002a600	0x0002c000	0x000014ca	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.46
.rsrc	0x0002bc00	0x0002e000	0x00007968	0x00007a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.59
.reloc	0x00033600	0x00036000	0x00002f9c	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.70

Overlay

Offset	0x00036600
Size	0x00002138

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00035870	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.78	None
WEVT_TEMPLATE	0x00032888	0x000004d2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.83	None
RT_STRING	0x00032d60	0x00000274	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None
RT_STRING	0x00032fd8	0x000008a2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_STRING	0x00033880	0x000000d2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.13	None
RT_STRING	0x00033958	0x000002e2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.27	None
RT_STRING	0x00033c40	0x000009a6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.42	None
RT_STRING	0x000345e8	0x000007aa	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.32	None
RT_STRING	0x00034d98	0x00000ad6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.40	None
RT_MESSAGETABLE	0x0002e9d8	0x00003eb0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None
RT_VERSION	0x0002e640	0x00000398	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_MANIFEST	0x0002e310	0x00000329	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.66	None

Imports

Name	Address
_unlock	0x42c238
__dllonexit	0x42c23c
wcsstr	0x42c240
wcsncmp	0x42c244
_wcsnicmp	0x42c248
iswalpha	0x42c24c
_onexit	0x42c250
_lock	0x42c254
??1type_info@@UAE@XZ	0x42c258
_except_handler4_common	0x42c25c
?terminate@@YAXXZ	0x42c260
_initterm	0x42c264
__setusermatherr	0x42c268
__p__fmode	0x42c26c
_cexit	0x42c270
_exit	0x42c274
exit	0x42c278
__set_app_type	0x42c27c
__wgetmainargs	0x42c280
_amsg_exit	0x42c284
__p__commode	0x42c288
_XcptFilter	0x42c28c
_CxxThrowException	0x42c290
_callnewh	0x42c294
??0exception@@QAE@XZ	0x42c298
wcscpy_s	0x42c29c
wcsrchr	0x42c2a0
calloc	0x42c2a4
malloc	0x42c2a8
_purecall	0x42c2ac
??0exception@@QAE@ABQBD@Z	0x42c2b0
?what@exception@@UBEPBDXZ	0x42c2b4
??1exception@@UAE@XZ	0x42c2b8
??0exception@@QAE@ABV0@@Z	0x42c2bc
free	0x42c2c0
_vsnwprintf	0x42c2c4
towupper	0x42c2c8
_getwch	0x42c2cc
vswprintf_s	0x42c2d0
_vscwprintf	0x42c2d4
_wcsicmp	0x42c2d8
_wcslwr_s	0x42c2dc
wcschr	0x42c2e0
wprintf	0x42c2e4
memmove_s	0x42c2e8
memcpy_s	0x42c2ec
_errno	0x42c2f0
realloc	0x42c2f4
_controlfp	0x42c2f8
memcpy	0x42c2fc
towlower	0x42c300
__CxxFrameHandler3	0x42c304
memcmp	0x42c308
_ftol2	0x42c30c
__RTDynamicCast	0x42c310
memset	0x42c314

Name	Address
RegOpenKeyExW	0x42c000
RegCloseKey	0x42c004
IsValidSecurityDescriptor	0x42c008
GetAclInformation	0x42c00c
InitializeAcl	0x42c010
AddAce	0x42c014
SetSecurityDescriptorDacl	0x42c018
SetSecurityDescriptorGroup	0x42c01c
MakeAbsoluteSD	0x42c020
GetSecurityDescriptorControl	0x42c024
GetSecurityDescriptorGroup	0x42c028
GetSecurityDescriptorDacl	0x42c02c
GetSecurityDescriptorSacl	0x42c030
GetSecurityDescriptorOwner	0x42c034
InitializeSecurityDescriptor	0x42c038
SetSecurityDescriptorOwner	0x42c03c
GetSidLengthRequired	0x42c040
InitializeSid	0x42c044
GetSidSubAuthority	0x42c048
IsValidSid	0x42c04c
CopySid	0x42c050
GetLengthSid	0x42c054
TraceEvent	0x42c058
LookupPrivilegeValueW	0x42c05c
RegisterTraceGuidsW	0x42c060
GetTraceEnableLevel	0x42c064
GetTraceEnableFlags	0x42c068
GetTraceLoggerHandle	0x42c06c
EventUnregister	0x42c070
EventRegister	0x42c074
EventWriteTransfer	0x42c078
EventActivityIdControl	0x42c07c
UnregisterTraceGuids	0x42c080
InitiateSystemShutdownExW	0x42c084
OpenProcessToken	0x42c088
AdjustTokenPrivileges	0x42c08c

Name	Address
WaitForSingleObject	0x42c094
ReadFile	0x42c098
SetFilePointer	0x42c09c
SearchPathW	0x42c0a0
UnmapViewOfFile	0x42c0a4
CreateFileMappingW	0x42c0a8
MapViewOfFile	0x42c0ac
DeviceIoControl	0x42c0b0
SetFileAttributesW	0x42c0b4
CopyFileExW	0x42c0b8
GetDriveTypeW	0x42c0bc
GetVersionExW	0x42c0c0
GetProcAddress	0x42c0c4
GetModuleHandleW	0x42c0c8
GetModuleHandleExW	0x42c0cc
FreeLibrary	0x42c0d0
InitializeCriticalSection	0x42c0d4
EnterCriticalSection	0x42c0d8
SetEvent	0x42c0dc
LeaveCriticalSection	0x42c0e0
GetLastError	0x42c0e4
CloseHandle	0x42c0e8
SetThreadUILanguage	0x42c0ec
SetErrorMode	0x42c0f0
SetConsoleCtrlHandler	0x42c0f4
OutputDebugStringW	0x42c0f8
GetCommandLineW	0x42c0fc
HeapFree	0x42c100
GetProcessHeap	0x42c104
SizeofResource	0x42c108
LockResource	0x42c10c
LoadResource	0x42c110
FindResourceExW	0x42c114
Sleep	0x42c118
GetCurrentProcess	0x42c11c
DeleteCriticalSection	0x42c120
RaiseException	0x42c124
GetCurrentThreadId	0x42c128
CompareStringW	0x42c12c
GetStdHandle	0x42c130
HeapAlloc	0x42c134
WriteConsoleW	0x42c138
LocalAlloc	0x42c13c
WideCharToMultiByte	0x42c140
WriteFile	0x42c144
LocalFree	0x42c148
GetFileType	0x42c14c
GetConsoleMode	0x42c150
GetModuleFileNameW	0x42c154
IsWow64Process	0x42c158
FormatMessageW	0x42c15c
GetFileAttributesW	0x42c160
SetLastError	0x42c164
CreateFileW	0x42c168
GetSystemInfo	0x42c16c
HeapSize	0x42c170
HeapReAlloc	0x42c174
HeapDestroy	0x42c178
MultiByteToWideChar	0x42c17c
UnhandledExceptionFilter	0x42c180
SetUnhandledExceptionFilter	0x42c184
TerminateProcess	0x42c188
ReleaseSRWLockExclusive	0x42c18c
AcquireSRWLockExclusive	0x42c190
WakeAllConditionVariable	0x42c194
SleepConditionVariableSRW	0x42c198
QueryPerformanceCounter	0x42c19c
GetCurrentProcessId	0x42c1a0
GetSystemTimeAsFileTime	0x42c1a4
GetTickCount	0x42c1a8
OutputDebugStringA	0x42c1ac
GetSystemWindowsDirectoryW	0x42c1b0
ExpandEnvironmentStringsW	0x42c1b4
GetTempFileNameW	0x42c1b8
GetFullPathNameW	0x42c1bc
CreateDirectoryW	0x42c1c0
GetFileInformationByHandle	0x42c1c4
FindFirstFileW	0x42c1c8
FindNextFileW	0x42c1cc
FindClose	0x42c1d0
LoadLibraryExW	0x42c1d4

Name	Address
CoInitializeSecurity	0x42c1dc
CoCreateInstance	0x42c1e0
CoInitializeEx	0x42c1e4
CoUninitialize	0x42c1e8

Name	Address
CharLowerBuffW	0x42c220

Name	Address
LoadTypeLib	0x42c1f0
SysStringByteLen	0x42c1f4
SysAllocStringByteLen	0x42c1f8
SysAllocStringLen	0x42c1fc
VarBstrCmp	0x42c200
LoadRegTypeLib	0x42c204
GetErrorInfo	0x42c208
SysStringLen	0x42c20c
VariantClear	0x42c210
SysAllocString	0x42c214
SysFreeString	0x42c218

Name	Address
GetFileVersionInfoSizeExW	0x42c228
GetFileVersionInfoExW	0x42c22c
VerQueryValueW	0x42c230

Name	Address
RtlGetVersion	0x42c31c
RtlNtStatusToDosError	0x42c320
RtlFreeHeap	0x42c324
RtlAllocateHeap	0x42c328
NtSetInformationFile	0x42c32c

Reports: JSON

Statistics (10.06)

Usage

Processing ( 10.00 seconds )

9.328 ProcessMemory
0.643 CAPE
0.017 BehaviorAnalysis
0.008 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antianalysis_detectfile
0.006 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: Dism.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5468 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\Dism.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Dism.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcrt

ADVAPI32

KERNEL32

OLE32

USER32

OLEAUT32

VERSION

ntdll

Usage

Processing ( 10.00 seconds )

Signatures ( 0.06 seconds )

Reporting ( 0.01 seconds )

Signatures

Screenshots

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP