FileHistory.exe

  • File Path: C:\WINDOWS\system32\FileHistory.exe
  • Description: File History

Screenshot

FileHistory.exe

Hashes

Type Hash
MD5 3129670515262343340A94EB94192C25
SHA1 AE8DBD15A2CFB5BEEE4232E17CC16437FCAF0045
SHA256 7406FCDF9A773CAEFB0D85911766D4AEFE6DC7D4940DD139AF56AD9121592596
SHA384 8AE7B41E5125F451AE068C75EB47750093F46BE46AC35766D440CEF6223C273A6AB1C103B940336C40C648031295647D
SHA512 2D608ED316A0AF88B654D30839CF828BF09413235CF548C1BE42CA3022248CEF75CC7EC1C56DD83BB02BF423047EBC1D2A0D2F29809EDD2A8A0D2C1898C9329C
SSDEEP 3072:Jw6v+Hrc86TVYlxvxzYuVD8C+cxICGQWJuNacW/bdmyTVulAyXduN:l6r/vxzYuVD8CnxICGJpZ/bd
IMP 0C153A28F0F3D65D93238BD2C448D417
PESHA1 BF7243D9EBBF60881FE3E10CC2271D3E975842D4
PE256 FB82A318AFD8D3C0C28BA7E5323755A69DA5B05F3E55AE74296941C899638D68

Runtime Data

Window Title:

–help - File History

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\explorerframe.dll.mui File
(R-D) C:\Windows\System32\en-US\FileHistory.exe.mui File
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(R-D) C:\Windows\System32\fhuxadapter.dll File
(R-D) C:\Windows\System32\fhuxapi.dll File
(R-D) C:\Windows\System32\fhuxcommon.dll File
(R-D) C:\Windows\System32\fhuxgraphics.dll File
(R-D) C:\Windows\System32\fhuxpresentation.dll File
(R-D) C:\Windows\SystemResources\ExplorerFrame.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e\comctl32.dll.mui File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22000.282_none_ce81670012fd6ff0 File
...\Cor_SxSPublic_IPCBlock Section
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_888 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\UrlZonesSM_TI-ADMIN Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\system32\FileHistory.exe
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.dll
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\ole32.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: FileHistory.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/7406fcdf9a773caefb0d85911766d4aefe6dc7d4940dd139af56ad9121592596/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\FileHistory.exe 72
C:\WINDOWS\system32\FileHistory.exe 69
C:\Windows\system32\FileHistory.exe 71

Possible Misuse

The following table contains possible examples of FileHistory.exe being misused. While FileHistory.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc nukesped_lazarus .FileHistory.exe``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.