Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 11:51:00	2025-06-13 12:21:45	1845 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,053 [root] INFO: Date set to: 20250613T09:52:43, timeout set to: 1800
2025-06-13 10:52:43,140 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 10:52:43,140 [root] DEBUG: Storing results at: C:\gHzlKZ
2025-06-13 10:52:43,140 [root] DEBUG: Pipe server name: \\.\PIPE\rHrtLqJID
2025-06-13 10:52:43,140 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 10:52:43,140 [root] INFO: analysis running as an admin
2025-06-13 10:52:43,140 [root] INFO: analysis package specified: "exe"
2025-06-13 10:52:43,140 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 10:52:43,921 [root] DEBUG: imported analysis package "exe"
2025-06-13 10:52:43,921 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 10:52:43,921 [lib.common.common] INFO: wrapping
2025-06-13 10:52:43,921 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 10:52:43,921 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\FileHistory.exe
2025-06-13 10:52:43,921 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 10:52:43,921 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 10:52:43,921 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 10:52:43,921 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 10:52:44,281 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 10:52:44,312 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 10:52:44,327 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 10:52:44,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 10:52:44,359 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 10:52:44,359 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 10:52:44,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 10:52:44,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 10:52:44,359 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 10:52:44,359 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 10:52:44,359 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 10:52:44,359 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 10:52:44,359 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 10:52:44,359 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 10:52:44,359 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 10:52:44,374 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 10:52:44,374 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 10:52:44,374 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 10:52:44,640 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 10:52:44,640 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 10:52:44,640 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 10:52:44,640 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 10:52:44,640 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 10:52:44,640 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 10:52:44,640 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 10:52:44,640 [modules.auxiliary.disguise] INFO: Disguising GUID to 0cc594cc-feba-4a5b-a55d-bf6cf6b2e84f
2025-06-13 10:52:44,640 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 10:52:44,640 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 10:52:44,640 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 10:52:44,640 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 10:52:44,640 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 10:52:44,640 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 10:52:44,640 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 10:52:44,640 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 10:52:44,640 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 10:52:44,640 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 10:52:44,640 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 10:52:44,640 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 10:52:44,640 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 10:52:44,640 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 10:52:44,640 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 10:52:44,640 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 10:52:44,656 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 10:52:44,702 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 10:52:44,702 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\yOjggjR.dll, loader C:\tmpjeo7jmad\bin\xkGaAUPF.exe
2025-06-13 10:52:44,765 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 10:52:44,781 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\yOjggjR.dll.
2025-06-13 10:52:44,796 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 10:52:44,796 [root] INFO: Disabling sleep skipping.
2025-06-13 10:52:44,796 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 10:52:44,796 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 10:52:44,796 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 10:52:44,796 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 10:52:44,796 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 10:52:44,812 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 10:52:44,827 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 10:52:44,827 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 10:52:44,827 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6920, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 10:52:44,827 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 10:52:44,827 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 10:52:44,843 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 10:52:44,843 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\yOjggjR.dll.
2025-06-13 10:52:44,843 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 10:52:44,843 [roo <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 11:51:00	2025-06-13 12:21:24	none

File Details

File Name	FileHistory.exe
File Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
File Size	250880 bytes
MD5	ef51cc7086f8c72c3a46bed2d211b2cb
SHA1	f13a7531a565e9f5c6c5f6a7e8b7f6a6fee2c1db
SHA256	aa496b2255a27150c56ef82d7c9d4cd0164067ec69e837ce2931b962a490f34f [VT] [MWDB] [Bazaar]
SHA3-384	9888d8cc05017740badb1a32201902a2dfd83d67b7f0cd249b95c206ce22571170b55e340c69bd2facabda1dee776a02
CRC32	B32BD065
TLSH	T19A3428117A708AB4DD694532DC1E96CC6272ECE35F214BE32190FF7E59F22C4A9361CA
Ssdeep	3072:VWWk8D+EpA8JH604aFUxzYuVD8o+otIxAGQWqt/qobdmyTVulAyX5iN:VWWu8lZUxzYuVD8ortIxAGJuyobd
PE DotNET	File Strings BinGraph Vba2Graph VirusTotal de4dot (0.61)

AssemblyVersionAttribute

DoesEditBoxHaveFocus

IUnknown_GetWindow

@.data

MainWindow

@jXL)

ExecuteCommand

Progress

<CrtImplementationDetails>.ThrowModuleLoadException

delete

mscorlib

lRefreshFlags

__m2mep@?KeyboardCallback@CHistoryVaultMainWindow@@$$FCA_JH_K_J@Z

get_SearchResultsViewType

Marshal

addressBarButton

The C++ module failed to load during registration for the unload events.

*saP-

GetStartupInfoW

mscoree.dll

CHistoryVaultMainWindow.WndProc

CreateMenu

Logger

_initterm_e

GetObjectForIUnknown

$ArrayType$$$BY0BD@Q6AXXZ

get_Count

NextState

CTravelLog.{dtor}

get_HomeButtonTooltip

?A0xc2488d5d.c_rgHomeToolbarInfo

ppStrm

u*9Q<|%

$ArrayType$$$BY0BB@$$CBG

__m2mep@??_EBrush@Gdiplus@@$$FUEAAPEAXI@Z

__m2mep@?s_TBWndProc@CAddressBarButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

SkipVerification

I$!';

pfbegin

___CxxCallUnwindDtor

??_R1A@?0A@EA@Brush@Gdiplus@@8

DecoratedNameAttribute

??_C@_1BC@GCKHIPE@?$AAN?$AAo?$AAR?$AAe?$AAm?$AAo?$AAv?$AAe?$AA?$AA@

CreateWindowExW

GetEnumerator

=Chhr

NextVersionButtonSingleJumpCount

OutBase

jXL 0

_GUID_e93d4057_b9a2_42a5_8af8_e5bbf177d365

Gdiplus.?A0x0c2d36e8.GenericSansSerifFontFamily

op_Inequality

Globals

WindowLocationHelper

??_R2CTravelLog@@8

</security>

PjXL)A

[[[FZZZeggg

$ArrayType$$$BY00Q6MPEBXXZ

ITravelLog

jXL46

CHistoryVaultMainWindow.OnEraseBckg

?pmField@?$CVarTypeInfo@PEAI@ATL@@2QEQtagVARIANT@@PEAIEQ3@

=WmQ@H

5BSJB

gcroot<CUpButtonEventHandlerWrapper ^>

gcroot<Microsoft::Windows::DataProtection::UI::ApplicationState ^>.{dtor}

??_7CHistoryVaultMainWindow@@6BIShellNavigationTarget@@@

?InitializedPerProcess@DefaultDomain@<CrtImplementationDetails>@@2_NA

WWW)```

set_pt_y

get_AboutMenuItem

wFlags

??_7Brush@Gdiplus@@6B@

ATL.?A0x0c2d36e8.szDelete

pszDest

get_CommandName

--ttt

Microsoft Corporation

__m2mep@?GetToolTipText@CTravelLog@@$$FUEAAJPEAUIUnknown@@HHPEAGK@Z

@nXej

_XcptFilter

fEnterMode

?pmField@?$CVarTypeInfo@J@ATL@@2QEQtagVARIANT@@JEQ3@

GetParentPath

_lock

<CrtImplementationDetails>.DoCallBackInDefaultDomain

STATIC

IsLong

add_ProcessExit

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@_K@ATL@@2P6MXXZEA

|zz|zz

??_7CHistoryVaultMainWindow@@6BIShellBrowser@@@

??_R4CHistoryVaultMainWindow@@6BIShellBrowser@@@

ppole

?A0x973da13b.c_uptbb

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@_J@ATL@@2QEQtagVARIANT@@_JEQ3@@@YMXXZ

.data$r

ThrowExceptionForHR

FromIntPtr

_initterm

type="win32"

ZYWa999

.idata$5

nCode

ModuleLoadException

$PTMType$QEQtagVARIANT@@PEAG

_GUID_6d5140c1_7436_11ce_8034_00aa006009fa

UpButtonToolbar

CHistoryVaultMainWindow.NavigateToPidl

ZZZ"yyy

SqmVariables

<CrtImplementationDetails>.LanguageSupport.UninitializeDefaultDomain

PropertyChangedEventArgs

__m2mep@?GetControlWindow@CHistoryVaultMainWindow@@$$FEEAAJIPEAPEAUHWND__@@@Z

__ponexitend_e

CreateSolidBrush

XjXL)=

set_hwnd

System.Runtime.CompilerServices

$_s__RTTIBaseClassArray$_extraBytes_8

VVVDVVVD```

%A{{;

hmenuShared

.pdata

?Release@CHistoryVaultMainWindow@@$$FG7EAAKXZ

|||Pzzz

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEATtagCY@@@ATL@@2QEQtagVARIANT@@PEATtagCY@@EQ3@@@YMXXZ

Microsoft

?AddRef@CHistoryVaultMainWindow@@$$FGBI@EAAKXZ

get_Target

$ArrayType$$$BY04Q6AXXZ

_acmdln

1^:;Fdu

___CxxCallUnwindDelDtor

??_R2IUnknown@@8

GdipDeleteGraphics

.?AUIServiceProvider@@

CSettingsButton.s_TBWndProc

??_R3IShellBrowserService@@8

jXL

??_C@_0O@NLDKAIKN@EncodePointer?$AA@

DU0w@w

?pmField@?$CVarTypeInfo@PEAPEAUIDispatch@@@ATL@@2QEQtagVARIANT@@PEAPEAUIDispatch@@EQ3@

?pmField@?$CVarTypeInfo@K@ATL@@2QEQtagVARIANT@@KEQ3@

?A0x103fe9b9.__global_lock

editBoxHwnd

__native_vcclrit_reason

GetMessageW

HistoryButtonTooltipConverter

fhuxpresentation

__m2mep@?SetNavigateState@CHistoryVaultMainWindow@@$$FEEAAJW4tagBNSTATE@@@Z

GetSystemColor

SSCTEXTFLAGS

??_R4SolidBrush@Gdiplus@@6B@

s;E2!

_exit

$PTMType$QEQtagVARIANT@@D

jXLij*

XXX1ddd

get_HelpMenuItem

B0>>n

ctdD?

The C++ module failed to load during appdomain initialization.

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAM@ATL@@2P6MXXZEA

addressBar

CurrentFolderPreviewLoading

get_NewVal

publicKeyToken="6595b64144ccf1df"

<CrtImplementationDetails>.RegisterModuleUninitializer

_ATL_OBJMAP_ENTRY30

PresentationDataAdapter

i/G!:

jXL 0

P(059

$PTMType$QEQtagVARIANT@@PEA_J

__xc_a

CAddressBarButton.GetInitialHeight

HICON__

??_C@_1CI@EBHNOGD@?$AAH?$AAi?$AAg?$AAh?$AA?5?$AAC?$AAo?$AAn?$AAt?$AAr?$AAa?$AAs?$AAt?$AA?5?$AAW?$AAh?$AAi?$AAt?$AAe?$AA?$AA@

jXL)>

cchDest

.CRTMP$XCZ

EventWriteLaunchStop

GetValue

__native_startup_state

<!-- Declare application as DPI-Aware so no DWM Scaling fallback. In Windows Vista, Windows 7 and Windows 8, when

__m2mep@?SetMenuSB@CHistoryVaultMainWindow@@$$FEEAAJPEAUHMENU__@@PEAXPEAUHWND__@@@Z

CHistoryVaultMainWindow.GetBrowserIndex

AddressBarClickCount

~z:;x

ICorRuntimeHost

__m2mep@?WinMain@@$$J0YAHPEAUHINSTANCE__@@0PEADH@Z

__m2mep@?s_TBWndProc@CUpButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

StringToHGlobalAuto

?A0x08c00bb6.SQM_NULL_STRING_ENTRY

CoCreateInstance

6:"i~}

??_R3SolidBrush@Gdiplus@@8

get_Module

gcroot<CAddressBarButtonEventHandlerWrapper ^>

ddd+fff

_encoded_null

$ArrayType$$$BY0BG@$$CBG

cchText

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@D@ATL@@2P6MXXZEA

SettingsButtonToolbar

_get_exception_handling_state

__unep@?s_EditBoxWndProc@CAddressBarButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

.rdata$r

$PTMType$QEQtagVARIANT@@PEAJ

ImageList_ReplaceIcon

__m2mep@?InsertMenuEntries@CTravelLog@@$$FUEAAJPEAUIUnknown@@PEAUHMENU__@@HHHK@Z

get_NextState

10.0.0.0

___~RRR"

.CRT$XIA

$PTMType$QEQtagVARIANT@@PEAPEAUIDispatch@@

TriBool

ATL.?A0x0c2d36e8._AtlReleaseManagedClassFactories$initializer$

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@_J@ATL@@2P6MXXZEA

CreateFontW

DispatchMessageW

RestoreSettings

FreeHGlobal

?pmField@?$CVarTypeInfo@_K@ATL@@2QEQtagVARIANT@@_KEQ3@

$PTMType$QEQtagVARIANT@@TtagCY@@

?pmField@?$CVarTypeInfo@PEAJ@ATL@@2QEQtagVARIANT@@PEAJEQ3@

@jXL)C

__m2mep@?AddRef@CHistoryVaultMainWindow@@$$FGBI@EAAKXZ

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

FileDescription

??_R4CHistoryVaultMainWindow@@6BIShellBrowserService@@@

$PTMType$QEQtagVARIANT@@E

[[['bbb

"#P.v

?A0x635e99f8.HIGH_CONTRAST_WHITE

CHistoryVaultMainWindow.AddRef

HHOOK__

WWWITTTs

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAPEAG@ATL@@2QEQtagVARIANT@@PEAPEAGEQ3@@@YMXXZ

_GUID_90f1a06e_7712_4762_86b5_7a5eba6bdb02

?A0xc9aae6d9.SQM_NULL_STRING_ENTRY

ntdll.dll

$ArrayType$$$BY01Q6AXXZ

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAH@ATL@@2P6MXXZEA

__xi_a

$PTMType$QEQtagVARIANT@@M

MaximumVersionsJumped

i3B(0

10.0.17763.1

is supporting up to 200 DPI.-->

IsExplicitlyDereferenced

$ArrayType$$$BY0M@$$CBG

InitializeCriticalSection

SetWindowLongPtrW

nItemID

?InitializedNativeFromCCTOR@DefaultDomain@<CrtImplementationDetails>@@2_NA

pszSrc

CHistoryVaultMainWindow.GetFlags

<CrtImplementationDetails>.ThrowNestedModuleLoadException

CultureInfo

_EXCEPTION_POINTERS

OptionsHelpClickCount

WWW@___

__unep@?DoNothing@DefaultDomain@<CrtImplementationDetails>@@$$FCAJPEAX@Z

jXL(@

Boolean

IsConst

??_R2Brush@Gdiplus@@8

__m2mep@?GetFlags@CHistoryVaultMainWindow@@$$FEEAAJPEAK@Z

LayoutRoot

?pmField@?$CVarTypeInfo@PEAUIUnknown@@@ATL@@2QEQtagVARIANT@@PEAUIUnknown@@EQ3@

Brush

message

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAE@ATL@@2QEQtagVARIANT@@PEAEEQ3@@@YMXXZ

CHistoryVaultMainWindow.QueryActiveShellView

<CrtImplementationDetails>.LanguageSupport.Initialize

SearchBox

arguments

HideSuggestions

jXL%L

CTravelLog.GetToolTipText

dwRefData

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAJ@ATL@@2QEQtagVARIANT@@PEAJEQ3@@@YMXXZ

GetSysColor

__unep@?s_TBWndProc@CHomeButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

__m2mep@?CreateViewWindow@CHistoryVaultMainWindow@@$$FEEAAJPEAUIShellItem@@PEAUIShellView@@1PEAUtagRECT@@PEAPEAUHWND__@@@Z

pTravelLogUI

??_R1A@?0A@EN@IShellNavigationTarget@@8

<CrtImplementationDetails>.LanguageSupport.InitializeVtables

OutSize

ExplicitSelectionCount

??_R1A@?0A@EA@IShellNavigationTarget@@8

$PTMType$QEQtagVARIANT@@K

Localization

PrepareDelegate

$PTMType$QEQtagVARIANT@@F

$ArrayType$$$BY0BD@$$CBG

bnstate

??_R4CTravelLog@@6B@

TerminateProcess

AddressBarComboBox

HWND__

??_R1A@?0A@EA@IShellBrowserService@@8

StringCchCopyW

NativeCppClassAttribute

c+Wz-

RandomNoPreviewHandlerFileExtension

pwzText

__m2mep@?GoBack@CHistoryVaultMainWindow@@$$FEEAAJXZ

$PTMType$QEQtagVARIANT@@PEAUIUnknown@@

level="asInvoker"

_atexit_helper

Object

CallConvCdecl

?A0x2442659e.?IsDefaultDomain$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

source

??_R0?AUIShellBrowserService@@@8

$_TypeDescriptor$_extraBytes_29

remove_PropertyChanged

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAUIUnknown@@@ATL@@2P6MXXZEA

~ZO.+

@62/B

U(3v3+2ka

Bv8@z7$

CNavigationPropertyChangedWrapper::OnPropertyChanged failed {0:x}

CloseThemeData

?InitializedVtables@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A

?Entered@DefaultDomain@<CrtImplementationDetails>@@2_NA

GetModuleHandleA

set_NestedException

.text$x

VVVATTTpooo

?qit@?1??QueryInterface@CTravelLog@@UEAAJAEBU_GUID@@PEAPEAX@Z@4QBUQITAB@@B

RestoreAs

<CrtImplementationDetails>.AtExitLock._handle

SecurityAction

brush

StringResources

innerException

GetModuleHandleW

??_C@_1O@CEDCILHN@?$AA?$CI?$AAn?$AAu?$AAl?$AAl?$AA?$CJ?$AA?$AA@

__m2mep@?QueryService@CHistoryVaultMainWindow@@$$FEEAAJAEBU_GUID@@0PEAPEAX@Z

I$!&;

??_R1BA@?0A@EL@IUnknown@@8

IFormatProvider

__m2mep@?Clone@Brush@Gdiplus@@$$FUEBAPEAV12@XZ

set_DataContext

punkHLBrowseContext

_GUID_00000114_0000_0000_c000_000000000046

kernelbase.dll

^^^|fff

HINSTANCE__

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@F@ATL@@2P6MXXZEA

]51]Gp

?A0x103fe9b9.__global_unlock

?A0x103fe9b9.__exit_list_size

??_R4CHistoryVaultMainWindow@@6BIServiceProvider@@@

OriginalFilename

??_R3ITravelLog@@8

CHomeButton._Init

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::SearchBox ^>

Microsoft.Windows.DataProtection.UI.Framework.Data

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@J@ATL@@2P6MXXZEA

gcroot<System::String ^>.=

7@zHwc

$ArrayType$$$BY0BA@$$CBG

formatString

__m2mep@?RestoreFrame@CHistoryVaultMainWindow@@$$FEEAAJXZ

System.Collections

_pAtlReleaseManagedClassFactories

_initterm_m

?A0x2442659e.__xc_ma_z

CLSID_ShellTravelLog

pszStatusText

IEnumerator

CHistoryVaultMainWindow.GetViewFilters

_ME-!

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAI@ATL@@2QEQtagVARIANT@@PEAIEQ3@@@YMXXZ

?A0x00a411d4.?fInitialized@?1??_decode_pointer@@YAPEAXPEAX@Z@4_NA

CTravelLog.FindTravelEntry

CUpButton.{ctor}

dwFlags

GetExceptionPointers

$ArrayType$$$BY00$$CBU<unnamed-type-c_rgSettingsToolbarInfo>@@

P{/TJ

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::FolderPreviewTypeMenuItemsVisibilityConverter ^>.{dtor}

SolidBrush

Format

BUTTON

$ArrayType$$$BY0BJ@$$CBG

$PTMType$QEQtagVARIANT@@_K

,{t\Y

jXLi(

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@K@ATL@@2QEQtagVARIANT@@KEQ3@@@YMXXZ

hPrevInstance

@.reloc

??_C@_17LLMMEOJD@?$AAV?$AAa?$AAl?$AA?$AA@

a_];VUSlWUTlWVTlXVU6999

parentHwnd

SerializationInfo

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@N@ATL@@2P6MXXZEA

h?/o'

CUpButton._UpdateToolbar

$ArrayType$$$BY0P@$$CBG

??_R2CHistoryVaultMainWindow@@8

FirstRestorePerformed

VVVDVVVDddd

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@D@ATL@@2QEQtagVARIANT@@DEQ3@@@YMXXZ

m_upButton

??_R0?AVCHistoryVaultMainWindow@@@8

VVVDTTTsTTTsTTTsVVVD

__m2mep@?s_TBWndProc@CSettingsButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

GetSystemTimeAsFileTime

GetTimeTillFirstRestore

?pmField@?$CVarTypeInfo@PEAE@ATL@@2QEQtagVARIANT@@PEAEEQ3@

#Strings

Decrement

_CorExeMain

AssemblyDelaySignAttribute

??_R1BI@?0A@EL@IUnknown@@8

DetailsIconsButtonClickCount

KeepAlive

HistoryButtonEnableDisableConverter

??_R0?AUITravelLog@@@8

__unep@?s_TBWndProc@CSettingsButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

IsDefaultAppDomain

,o7rC

NextVersionSliderMultiJumpCount

__m2mep@?EnableModelessSB@CHistoryVaultMainWindow@@$$FEEAAJH@Z

OptionsSetupFHClickCount

vvvPI

SetUnhandledExceptionFilter

Microsoft.Windows.DataProtection.UI.Framework.Layout

$PTMType$QEQtagVARIANT@@PEAM

.text

Version

hjXL)?

jXL @

CTravelLog.Travel

CHistoryVaultMainWindow.QueryInterface

RRR>UUUnTTTsTTTsUUUhTTT9

Gdiplus.SolidBrush.{dtor}

psiNew

SetWindowPos

??_C@_0O@KBPMFGHI@DecodePointer?$AA@

_decode_pointer

VVVD}}}

ppidl

RandomFailedRestoreStatus

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::AddressBarButtonTooltipConverter ^>

?Release@CHistoryVaultMainWindow@@$$FGBA@EAAKXZ

_GUID_00000000_0000_0000_c000_000000000046

bbbuooo

(jXL)E

$_TypeDescriptor$_extraBytes_20

CHistoryVaultMainWindow.GetPropertyBag

?pmField@?$CVarTypeInfo@PEAPEAUIUnknown@@@ATL@@2QEQtagVARIANT@@PEAPEAUIUnknown@@EQ3@

CommandExecutedEventArgs

.idata$4

__exit_list_size_app_domain

?instance@CHistoryVaultMainWindow@@0PEAV1@EA

PreviousVersionButtonSingleJumpCount

<assemblyIdentity

gcroot<CNavigationPropertyChangedWrapper ^>.{dtor}

TTTsTTTs

??_R0?AUIShellNavigationTarget@@@8

'9qrl

Gdiplus.?A0x0c2d36e8.GenericSerifFontFamilyBuffer

__dllonexit

$PTMType$QEQtagVARIANT@@PEAK

IBindCtx

MKK&igd

HjXL)B

__m2mep@?GoForward@CHistoryVaultMainWindow@@$$FEEAAJXZ

The C++ module failed to load during native initialization.

CSettingsButton

cchTitle

AssemblyCompanyAttribute

TravelBand

__m2mep@?RemoveMenusSB@CHistoryVaultMainWindow@@$$FEEAAJPEAUHMENU__@@@Z

COMCTL32.dll

.?AUIShellBrowserService@@

?A0xb467d23e.c_addressBartbb

UUUhVVVJjjj

<CrtImplementationDetails>.LanguageSupport.Cleanup

__unep@?StaticWndProc@CHistoryVaultMainWindow@@$$FCA_JPEAUHWND__@@I_K_J@Z

?AddRef@CHistoryVaultMainWindow@@$$FG7EAAKXZ

pjXL(

Delegate

__C_specific_handler

GetToolBarSize

__m2mep@?QueryInterface@CHistoryVaultMainWindow@@$$FGBA@EAAJAEBU_GUID@@PEAPEAX@Z

CAtlComModule

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::ZoomLevelMenuItemsVisibilityConverter ^>.{dtor}

add_DomainUnload

CHistoryVaultMainWindow.SetFlags

CompareExchange

IStream

?A0x2442659e.__xc_mp_z

SettingsToolBar

DeleteObject

.text$mn$00

?pmField@?$CVarTypeInfo@I@ATL@@2QEQtagVARIANT@@IEQ3@

Empty

@jXL(

SetLastError

?_ref_count@AtExitLock@<CrtImplementationDetails>@@$$Q0HA

get_PreviousState

.rsrc$01

RSDSia

__m2mep@?Clone@CTravelLog@@$$FUEAAJPEAPEAUITravelLog@@@Z

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAI@ATL@@2P6MXXZEA

_atexit_m

__m2mep@?s_TBWndProc@CHomeButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

CHistoryVaultMainWindow.SetMenuSB

get_IsFrozen

A nested exception occurred after the primary exception that caused the C++ module to fail to load.

??_R3IOleWindow@@8

[[['\\\`___[WWW#UUU

@Kk+]]

__m2mep@?Release@CHistoryVaultMainWindow@@$$FEEAAKXZ

UpButtonClickCount

__s_GUID

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@G@ATL@@2P6MXXZEA

RestoreButtonClickCount

System.Collections.ObjectModel

ComVisibleAttribute

pThis

System.Runtime.ConstrainedExecution

get_Text

??_R4Brush@Gdiplus@@6B@

__m2mep@?AddRef@CHistoryVaultMainWindow@@$$FGBA@EAAKXZ

StringToHGlobalUni

TTTsWWWIXXX

,jXJ*

IOleObject

VVVgVVVJvvv

NavigateHome

NestedException

$ArrayType$$$BY08$$CBG

in_pVoid

$ArrayType$$$BY01$$CBUQITAB@@

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::AddressBar ^>.{dtor}

<description>File History Restore UI</description>

tagMSG

ICLRRuntimeHost

_getptd

UpdateDataContext

IShellTravelLogUI

$_s__RTTIBaseClassArray$_extraBytes_80

get_IsRTLEnabled

SuppressUnmanagedCodeSecurityAttribute

ImplicitAllFoldersSelectionCount

tagRECT

TTTpVVVATTTp

VVVDTTTsVVVDeee

ZZZ|fff

Below tells the DWM not to perform any automatic DPI scaling. All new applications should be designed to be DPI-aware,

nCmdShow

N|B<o/

PreviousVersionButtonMultiJumpCount

initialWidth

cchName

FolderViewTypeChangeCount

.text$yd

HandleProcessCorruptedStateExceptionsAttribute

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::HistoryButtonEnableDisableConverter ^>.{dtor}

nButtons

CHistoryVaultMainWindow.PopulateTravelLog

_s__RTTIClassHierarchyDescriptor

===LNN

DrawThemeBackground

ppvObj

__m2mep@?QueryActiveShellView@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUIShellView@@@Z

?A0x2442659e.?InitializedVtables$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

pageState

(jXL

__m2mep@?ContextSensitiveHelp@CHistoryVaultMainWindow@@$$FEEAAJH@Z

LcA<E3

VVVATTTpTTTpVVVA

?A0x00a411d4.?pfnEncodePointer@?1??_encode_pointer@@YAPEAXPEAX@Z@4P6APEAX0@ZEA

Convert

get_FolderViewType

destroyWindow

Nested

__m2mep@?DoNothing@DefaultDomain@<CrtImplementationDetails>@@$$FCAJPEAX@Z

ggg~]]])fff

@.rsrc

?A0x08c00bb6.?qit@?1??QueryInterface@CHistoryVaultMainWindow@@EEAAJAEBU_GUID@@PEAPEAX@Z@4QBUQITAB@@B

?pmField@?$CVarTypeInfo@PEAD@ATL@@2QEQtagVARIANT@@PEADEQ3@

get_FolderViewTypeList

?pmField@?$CVarTypeInfo@PEA_J@ATL@@2QEQtagVARIANT@@PEA_JEQ3@

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@TtagCY@@@ATL@@2P6MXXZEA

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAPEAUIDispatch@@@ATL@@2P6MXXZEA

System.Core

<CrtImplementationDetails>.GetDefaultDomain

AddHandler

CHistoryVaultMainWindow.StaticWndProc

/M\'q

I$!*;

$PTMType$QEQtagVARIANT@@H

Gdiplus.?A0x0c2d36e8.GenericSerifFontFamily

?Uninitialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA

xjXL(

CaptureUIOpenTime

IsContentLoaded

<assemblyIdentity type="win32"

LegalCopyright

<CrtImplementationDetails>.DefaultDomain.HasNative

HasSuggestions

CallWindowProcW

function

--- End of primary exception ---

Monitor

ATL$__a

CTravelLog.QueryInterface

IsVolatile

`jXL)@

HjXLisy

_GUID_66a9cb08_4802_11d2_a561_00a0c92dbfe8

__m2mep@?GetViewFilters@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUIViewFilters@@@Z

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@TtagCY@@@ATL@@2QEQtagVARIANT@@TtagCY@@EQ3@@@YMXXZ

WWWIXXX

VirtualQuery

__unep@?_UninitializeDefaultDomain@LanguageSupport@<CrtImplementationDetails>@@$$FCAJPEAX@Z

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEATtagCY@@@ATL@@2P6MXXZEA

?A0x2442659e.??__E?Uninitialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA@@YMXXZ

version="1.0.0.0"

File History

$PTMType$QEQtagVARIANT@@PEAF

V$?]e

<CrtImplementationDetails>.LanguageSupport._Initialize

?A0x2442659e.?InitializedNative$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

ResolveMethodHandle

#Blob

??_R1A@?0A@EA@SolidBrush@Gdiplus@@8

GdipDeleteBrush

?A0x103fe9b9.__onexitend_m

guidService

__m2mep@?CountEntries@CTravelLog@@$$FUEAAKPEAUIUnknown@@@Z

.?AVCHistoryVaultMainWindow@@

CTravelLog.InsertMenuEntries

xe6uE

StreamingContext

.rdata$zzzdbg

__m2mep@?ShowControlWindow@CHistoryVaultMainWindow@@$$FEEAAJIH@Z

CAddressBarButton.s_TBWndProc

processorArchitecture="*"

IPageState

nIndex

.rdata

??1type_info@@UEAA@XZ

?A0xd59fa9ce.SZ_THIS_CLASS

s_TravelWndProc

CHistoryVaultMainWindow.Stop

</asmv3:application>

GetTimeNavigatedBackTo

SingletonDomainUnload

CHistoryVaultMainWindow.StartApplication

5K"=H

__m2mep@?DisplayParseError@CHistoryVaultMainWindow@@$$FEEAAJJPEBG@Z

D$$I;

value

Graphics

name="Microsoft.Windows.DataProtection.UI.FileHistory"

ImageList_Create

??_R1A@?0A@EA@CTravelLog@@8

get_WindowClassName

.CRTMA$XCZ

$PTMType$QEQtagVARIANT@@PEA_K

TPgP

jXL D

?C'Oj

Interlocked

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAUIUnknown@@@ATL@@2QEQtagVARIANT@@PEAUIUnknown@@EQ3@@@YMXXZ

Microsoft.Windows.DataProtection.UI.Framework.Layout.Input

__m2mep@?FindTravelEntry@CTravelLog@@$$FUEAAJPEAUIUnknown@@PEBU_ITEMIDLIST_ABSOLUTE@@PEAPEAUITravelEntry@@@Z

<CrtImplementationDetails>.NativeDll.IsSafeForManagedCode

jXL T

CHistoryVaultMainWindow.UpdateTravelBandStates

SystemParametersInfoW

\)7{Q

get_MainWindowMinimumHeight

Travel band

?pmField@?$CVarTypeInfo@E@ATL@@2QEQtagVARIANT@@EEQ3@

?A0xb467d23e.c_rgToolbarInfo

$ArrayType$$$BY00$$CBU<unnamed-type-c_rgUpToolbarInfo>@@

?A0x2442659e.??__E?Initialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA@@YMXXZ

CHistoryVaultMainWindow.GetPalette

ggg~aaa*

.idata$3

??_C@_1CM@KODKHDLP@?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAT?$AAo?$AAo?$AAl?$AAb?$AAa?$AAr?$AA?$AA@

gcroot<CNavigationPropertyChangedWrapper ^>

lpButtons

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@H@ATL@@2P6MXXZEA

Gdiplus.Brush.{dtor}

.cctor

?A0x2442659e.??__E?InitializedVtables@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ

set_SearchResultsViewType

NavigationHistoryClickCount

??_C@_1BC@JMHHNFHJ@?$AAC?$AAo?$AAm?$AAb?$AAo?$AAB?$AAo?$AAx?$AA?$AA@

GetUIOpenDuration

CHistoryVaultMainWindow.RestoreFrame

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAG@ATL@@2P6MXXZEA

$ArrayType$$$BY05$$CBUQITAB@@

IoO7V

EHExceptionRecord

get_PropertyName

??_7SolidBrush@Gdiplus@@6B@

__m2mep@?UpdateWindowList@CHistoryVaultMainWindow@@$$FEEAAJXZ

$ArrayType$$$BY0N@$$CBD

__setusermatherr

WWW@TTToTTTsTTTsTTTjWWW:

??_R2IShellBrowserService@@8

ihiqqr

because DPI awareness improves the appearance of the UI at higher DPI settings. This declaration means that application

CHistoryVaultMainWindow.UpdateBackForwardState

??_R0?AUIOleWindow@@@8

VVV^iii

U.3o3+2

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAK@ATL@@2QEQtagVARIANT@@PEAKEQ3@@@YMXXZ

ApplyDefaultSettings

GetTickCount

??_R2IShellBrowser@@8

__m2mep@?QueryInterface@CHistoryVaultMainWindow@@$$FG7EAAJAEBU_GUID@@PEAPEAX@Z

555>UUUxRRR

.CRT$XIY

??_R2GdiplusBase@Gdiplus@@8

tagNMTOOLBARW

U*3b3+2u3*2

__onexitbegin_app_domain

add_DataContextChanged

CHistoryVaultMainWindow.InitThemeData

WinSqmSetString

CTravelLog_CreateInstance

jXL~.

+.gv&

__@@_PchSym_@00@KxulyqvxgPillgKxuyzhvUuhUfgrohUwzgzkilgvxgrlmUivhglivfrCUsrhglibezfogUlyquivUznwGEUhgwzucOlyq@FileHistory

fhuxcommon

GetFunctionPointer

0jXLisy

CAddressBarButton

<CrtImplementationDetails>.AtExitLock._lock_Get

__m2mep@?GetTargetItem@CHistoryVaultMainWindow@@$$FEEAAJAEBU_GUID@@PEAPEAX@Z

UUUYsss

get_OldVal

<CrtImplementationDetails>.LanguageSupport.InitializeUninitializer

get_MainWindowHandle

get_Id

U"3v3+2

?AddRef@CHistoryVaultMainWindow@@$$FGBA@EAAKXZ

State

Refresh

pcchNewDestLength

?hasNative@DefaultDomain@<CrtImplementationDetails>@@0W4State@TriBool@2@A

?QueryInterface@CHistoryVaultMainWindow@@$$FG7EAAJAEBU_GUID@@PEAPEAX@Z

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAK@ATL@@2P6MXXZEA

ToIntPtr

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::AddressBar ^>

_exception_handling_state_pointers_t

SecurityPermissionAttribute

J3-hO

op_Explicit

??_R1A@?0A@EL@IUnknown@@8

??_R3IServiceProvider@@8

get_CurrentDomain

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::HistoryButtonMenuItemTextConverter ^>

__m2mep@?GetTravelEntry@CTravelLog@@$$FUEAAJPEAUIUnknown@@HPEAPEAUITravelEntry@@@Z

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAJ@ATL@@2P6MXXZEA

BackFolderClickCount

</dependency>

get_SelectedVersions

X<NgG

ATL.?A0x0c2d36e8.szForceRemove

COwnerDrawPopupMenu_This

CHistoryVaultMainWindow.SubmitSqm

__xc_z

EventWriteLaunchStart

_ismbblead

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEA_K@ATL@@2QEQtagVARIANT@@PEA_KEQ3@@@YMXXZ

kD091

/Agc.

Microsoft.Windows.DataProtection.UI

CHistoryVaultMainWindow.ShowControlWindow

TrackPopupMenuEx

EventTracer

&QK*hg

get_LibrariesRootDisplayName

EventHandler

pszUrl

count

__m2mep@?NavigateToUrl@CHistoryVaultMainWindow@@$$FEEAAJPEBGJ@Z

??_7CTravelLog@@6B@

uiAccess="false"

??_R0?AVBrush@Gdiplus@@@8

@jXL@U

SetWindowsHookExW

??_R0?AUIUnknown@@@8

DPI virtualization (scaling) is enabled, applications that are not DPI-aware are scaled and receive virtualized data

>$wPkG

_exit_callback

$ArrayType$$$BY0A@P6AHXZ

.CRT$XCAA

FolderPreviewViewType

idFirst

VVVDZZZyVVVDEEE

CUpButton._Init

?pmField@?$CVarTypeInfo@N@ATL@@2QEQtagVARIANT@@NEQ3@

AddState

UXW&(G

_app_exit_callback

s!K#K

\$ UH

SetText

(jXJ*

CorBindToRuntimeEx

+i^H3

.00cfg

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAPEAUIUnknown@@@ATL@@2P6MXXZEA

applicationState

?A0x103fe9b9.__onexitbegin_m

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAN@ATL@@2P6MXXZEA

get_PageState

<CrtImplementationDetails>.LanguageSupport.UninitializeAppDomain

.cS{tre2

handler

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::HistoryButtonMenuItemTextConverter ^>.{dtor}

GetKeyState

OnPropertyChanged

set_time

CHistoryVaultMainWindow.RemoveMenusSB

?pmField@?$CVarTypeInfo@PEA_K@ATL@@2QEQtagVARIANT@@PEA_KEQ3@

CompanyName

_get_exception_handling_state_uplevel

hg5Vw_

CHistoryVaultMainWindow.NavigateTravelLog

ITravelEntry

GetCurrentThreadId

CAddressBarButton._Init

XXXTWWW#aaa~

__getmainargs

dwFlagMask

P,02:

$ArrayType$$$BY02Q6AXXZ

$ArrayType$$$BY02$$CBU<unnamed-type-c_rgToolbarInfo>@@

VVVDXXXvVVVDTTT

u HcA<H

$ArrayType$$$BY0BA@E

IUnknown

`f&C{2

?pmField@?$CVarTypeInfo@M@ATL@@2QEQtagVARIANT@@MEQ3@

OpenThemeData

Sleep

$ArrayType$$$BY0BB@Q6AXXZ

AddressBarStopClickCount

]]])ggg

jXL <

Result

CSettingsButton._Init

sender

.CRTVT$XCA

GetFocus

Alloc

ContainerVersion

??_C@_1CC@JEPEAKIO@?$AAA?$AAd?$AAd?$AAr?$AAe?$AAs?$AAs?$AAB?$AAa?$AAr?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AA?$AA@

?A0x2442659e.?Uninitialized$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

get_HWnd

qqrihi

LargeIconsButtonClickCount

caX-yvmlyvmlzwml}ypacaX-caX

OnGlobalHookKeyPressed

get_Address

?A0x0c2d36e8.??__E_AtlReleaseManagedClassFactories@ATL@@YMXXZ

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@E@ATL@@2P6MXXZEA

set_FolderViewType

CNavigationPropertyChangedWrapper

_encode_pointer

_GUID

IsSignUnspecifiedByte

jXL <

.CRTMP$XCU

Compare

TTTsUUUnRRR>TTTo

SaveWindowRect

.?AUITravelLog@@

CHistoryVaultMainWindow.GetViewStateStream

g_hinst

CHistoryVaultMainWindow.GetNavigateState

.?AUIUnknown@@

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@M@ATL@@2P6MXXZEA

<CrtImplementationDetails>.LanguageSupport._UninitializeDefaultDomain

VVVJVVVg

jXL)F

<CrtImplementationDetails>.LanguageSupport.{ctor}

FileHistory

AddressBarButtonState

NoPreviewHandlerFiles

ShowSettingsMenu

_GUID_fc4801a3_2ba9_11cf_a229_00aa003d7352

get_RestoreButtonText

??_R1A@?0A@EA@IServiceProvider@@8

OYf6s

$PTMType$QEQtagVARIANT@@PEAE

__m2mep@?Release@CHistoryVaultMainWindow@@$$FGBA@EAAKXZ

settingsButton

RegisterClassExW

?A0xc2488d5d.SQM_NULL_STRING_ENTRY

jXL):

__unep@?KeyboardCallback@CHistoryVaultMainWindow@@$$FCA_JH_K_J@Z

List`1

1REau3+2u3+2u3+2

ppshv

(jXL(9

_TBBUTTON

??_C@_15DPCFIDNN@?$AAG?$AAo?$AA?$AA@

jXL T

ModuleHandle

PreviousVersionSliderSingleJumpCount

eee}]]]&

__unep@?_errno@@$$J0YAPEAHXZ

TBBUTTONINFOW

$PTMType$QEQtagVARIANT@@_J

$ArrayType$$$BY00$$CBU<unnamed-type-c_rgHomeToolbarInfo>@@

Dispose

Win32ComboBoxBase

CHomeButton.{ctor}

L&s?p

$_TypeDescriptor$_extraBytes_27

System.ComponentModel

AppendMenuW

get_Message

GpSolidFill

_callnewh

AssemblyAttributesGoHereSM

??_R3IShellBrowser@@8

__set_app_type

(null)

VVVDVVVD

??_C@_1BE@DJBEBCOE@?$AAU?$AAp?$AA?5?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AA?$AA@

VVV^]]]

_GUID_90f1a06c_7712_4762_86b5_7a5eba6bdb02

hmenu

CSettingsButton.ShowSettingsMenu

??_C@_1BG@EAMCFEDO@?$AAM?$AAa?$AAi?$AAn?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AA?$AA@

?hasPerProcess@DefaultDomain@<CrtImplementationDetails>@@0W4State@TriBool@2@A

prcView

IntPtr

</trustInfo>

CHistoryVaultMainWindow

<CrtImplementationDetails>.DefaultDomain.HasPerProcess

LoadIconW

IDATx

HFONT__

040904B0

VVVDEEE

Local\25B3A98A-0641-4EDE-9F91-81D5BAC42A3E

iOffset

get_FolderViewTypeExtraLargeIcons

xwwxww

name="Microsoft.Windows.Common-Controls"

FolderPreviewTypeMenuItemsVisibilityConverter

CHistoryVaultMainWindow.GetControlWindow

SizeSearchFilterCount

ReleaseDC

DefaultApplicationSettings

WVTQ999

HcA<H

CHistoryVaultMainWindow.{ctor}

errorMessage

?pmField@?$CVarTypeInfo@PEAG@ATL@@2QEQtagVARIANT@@PEAGEQ3@

ToPointer

context

CHistoryVaultMainWindow.EnableModelessSB

AssemblyAttributesGoHere

INotifyPropertyChanged

__m2mep@?AddRef@CTravelLog@@$$FUEAAKXZ

SHLWAPI.dll

TranslateMessage

bbb9xxx

GdipFillRectangle

get_FolderViewTypeDetails

WinSqmStartSession

$ArrayType$$$BY09$$CBG

.CRTVT$XCZ

CSettingsButton._CreateMenu

?A0x2442659e.??__E?InitializedNative@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ

??_R17?0A@EN@IShellBrowser@@8

CTravelLog.Clone

SimpleCheck

CHomeButton._UpdateToolbar

__m2mep@?s_TravelWndProc@@$$FYA_JPEAUHWND__@@I_K_J@Z

GetClientRect

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@M@ATL@@2QEQtagVARIANT@@MEQ3@@@YMXXZ

pMenuWidths

?QueryInterface@CHistoryVaultMainWindow@@$$FGBA@EAAJAEBU_GUID@@PEAPEAX@Z

??_R2ITravelLog@@8

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::ZoomLevelMenuItemsVisibilityConverter ^>

ForceRemove

System.Runtime.Serialization

??_C@_1O@JDLOHAN@?$AAD?$AAe?$AAl?$AAe?$AAt?$AAe?$AA?$AA@

SearchRestoreCount

AppDomain

__enative_startup_state

ColorFromWin32Value

get_RestoreAsButtonText

add_CommandExecuted

jXL~d

tagWNDCLASSEXW

QPPP"

UTR6fda{~{w

__m2mep@?GetViewItems@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUIItemStore@@@Z

VarFileInfo

??_7CHistoryVaultMainWindow@@6BIShellBrowserService@@@

_fmode

<CrtImplementationDetails>.DefaultDomain.Initialize

$ArrayType$$$BY0BE@$$CBG

HRESULT

CHistoryVaultMainWindow.GetTitle

!@{9Ax9

ImageList_Destroy

WinSqmIsOptedIn

.NETFramework,Version=v4.5

CHistoryVaultMainWindow.OnDestroyWindow

ModuleUninitializer

DefSubclassProc

0jXL)F

H$JwW

CHistoryVaultMainWindow.GoBack

HGF1pmj

$PTMType$QEQtagVARIANT@@PEAN

$ArrayType$$$BY02$$CBG

tagNMHDR

HWndLayoutElement

FocusManager

PropertyChangedEventHandler

ATL._AtlComModule

_initatexit_app_domain

ShutdownGdiplus

?pmField@?$CVarTypeInfo@PEAM@ATL@@2QEQtagVARIANT@@PEAMEQ3@

__m2mep@?SetStatusTextSB@CHistoryVaultMainWindow@@$$FEEAAJPEBG@Z

__native_startup_lock

?InitializedNative@DefaultDomain@<CrtImplementationDetails>@@2_NA

__m2mep@?Travel@CTravelLog@@$$FUEAAJPEAUIUnknown@@H@Z

__xi_z

??_R2IServiceProvider@@8

CaptureUICloseTime

IDisposable

Restore

CHistoryVaultMainWindow.SetAsDefFolderSettings

?A0x0c2d36e8.??__F_AtlReleaseManagedClassFactories@ATL@@YMXXZ

_GUID_cb2f6723_ab3a_11d2_9c40_00c04fa30a3e

?Initialized@CurrentDomain@<CrtImplementationDetails>@@$$Q2HA

jXL~\

IsUdtReturn

System.Security.Permissions

UxTheme.dll

The C++ module failed to load during process initialization.

nestedException

w8morH

gcroot<Microsoft::Windows::DataProtection::UI::ApplicationState ^>

ONL055

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAD@ATL@@2QEQtagVARIANT@@PEADEQ3@@@YMXXZ

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAUIDispatch@@@ATL@@2P6MXXZEA

__m2mep@?GetWindow@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUHWND__@@@Z

__m2mep@?s_EditBoxWndProc@CAddressBarButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEA_K@ATL@@2P6MXXZEA

fUnregister

10.0.17763.1 (WinBuild.160101.0800)

NoRemove

8jXL U

__ArrayUnwind

CHistoryVaultMainWindow.ContextSensitiveHelp

get_FolderViewTypeTiles

DeleteCriticalSection

AssemblyProductAttribute

RtlCaptureContext

ToString

add_PropertyChanged

GetInstance

CommandLineParser

get_OffsetToStringData

DisposeStaticInstance

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAD@ATL@@2P6MXXZEA

jXL)=

?A0x2442659e.?InitializedPerAppDomain$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

F]"`3

?pmField@?$CVarTypeInfo@PEAF@ATL@@2QEQtagVARIANT@@PEAFEQ3@

$ArrayType$$$BY03$$CBG

System.Runtime.Versioning

CTravelLog.UpdateExternal

Nm3Juo

?A0x2442659e.??__E?IsDefaultDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2_NA@@YMXXZ

IndexForToolbarSettings

TargetFrameworkAttribute

SaveSettings

NavigationHistory

GetDeviceCaps

DateModifiedSearchFilterCount

.?AUIShellBrowser@@

_getFiberPtrId

$ArrayType$$$BY0P@$$CBD

sss,zzz

m_addressBarButton

$ArrayType$$$BY0BC@$$CBG

PerfTrackProxy

??_R17?0A@EL@IUnknown@@8

??_R2IOleWindow@@8

get_FontFamily

ZZZ"zzz

PrePrepareMethodAttribute

HandleCommandLineArguments

_GUID_2ce15729_376f_4372_ad30_4148a6326ee8

CSettingsButton.{ctor}

GetObjectData

AddressBarButtonTooltipConverter

ForwardFolderClickCount

UI artifacts.

get_ApplicationName

RestoreUILaunchType

terminate

??_R3CTravelLog@@8

Debug

ThisModule

__m2mep@?SetAsDefFolderSettings@CHistoryVaultMainWindow@@$$FEEAAJXZ

DestroyWindow

TTTpVVVATTTpppp

lpCmdLine

m_mainWindow

jXJ(

Hk9"K

AddressBar

"D"J"Q"W"o"}"

CHistoryVaultMainWindow.CreateViewWindow

CancelNavigationCommand

Increment

QITAB

*Microsoft (R) Windows (R) Operating System

#GUID

GetVersion

HelpCommand

AddressBarRefreshClickCount

FileHistory.pdb

Status

|||PK

get_Width

SetWindowTextW

Search box

FontFamily

StartListening

psvNew

?InitializedPerAppDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A

get_Content

__m2mep@?AddRef@CHistoryVaultMainWindow@@$$FG7EAAKXZ

GdipAlloc

get_Instance

CAddressBarButton.s_EditBoxWndProc

Exchange

FolderRestoreToClickCount

UUUnTTTs

??_C@_1BG@NJOGDPO@?$AAS?$AAe?$AAa?$AAr?$AAc?$AAh?$AA?5?$AAb?$AAo?$AAx?$AA?$AA@

<CrtImplementationDetails>.ThisModule.ResolveMethod<void const * __clrcall(void)>

SearchViewTypeChangeCount

grfMode

LoadCursorW

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::SearchBox ^>.{dtor}

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@F@ATL@@2QEQtagVARIANT@@FEQ3@@@YMXXZ

RtlLookupFunctionEntry

PreviousVersionSliderMultiJumpCount

gcroot<System::String ^>

?H{#s

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@E@ATL@@2QEQtagVARIANT@@EEQ3@@@YMXXZ

_initatexit_m

#!#*#/#8#A#K#W#`#h#q#v#}#

("_(P(

?A0x973da13b.c_rgUpToolbarInfo

Stack

QueryPerformanceCounter

cchToCopy

PjXL(&

get_InnerException

msvcrt.dll

StringFileInfo

pszName

??_C@_1BI@JFAIJMHL@?$AAF?$AAo?$AAr?$AAc?$AAe?$AAR?$AAe?$AAm?$AAo?$AAv?$AAe?$AA?$AA@

gdiplus.dll

[SDtO

ole32.dll

jXL)9

get_DataContext

initialHeight

MoveNext

get_SelectedVersion

_W!Jr9

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::HistoryButtonEnableDisableConverter ^>

_GUID_cb2f6722_ab3a_11d2_9c40_00c04fa30a3e

HBRUSH__

jXL @

?_lock@AtExitLock@<CrtImplementationDetails>@@$$Q0PEAXEA

.text$mn

UnsafeValueTypeAttribute

rguid2

GetKernelProc

_tiddata_managed

GetIsVersionSelected

ATL.?A0x0c2d36e8.szNoRemove

QISearch

OnDataContextChanged

StringComparison

5v5o4

phwnd

CHistoryVaultMainWindow.GetTargetItem

CHistoryVaultMainWindow.GetToolbarIconSize

get_States

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAM@ATL@@2QEQtagVARIANT@@PEAMEQ3@@@YMXXZ

Microsoft.Windows.DataProtection.UI.DataAdapter

_MEMORY_BASIC_INFORMATION

??_R3IShellNavigationTarget@@8

DecodePointer

get_NestedException

AllocHGlobal

__m2mep@?Stop@CHistoryVaultMainWindow@@$$FEEAAJXZ

Gdiplus.?A0x0c2d36e8.GenericTypographicStringFormatBuffer

<requestedExecutionLevel

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@I@ATL@@2QEQtagVARIANT@@IEQ3@@@YMXXZ

AddHWndLayoutElement

??_C@_1BI@JGGGBACA@?$AAT?$AAr?$AAa?$AAv?$AAe?$AAl?$AA?5?$AAb?$AAa?$AAn?$AAd?$AA?$AA@

pExPtrs

CTravelLog

__m2mep@?GetNavItemTitle@CHistoryVaultMainWindow@@$$FEEAAJJPEAGK@Z

^UU&&'9~

ReadOnlyCollection`1

Gdiplus.Graphics.{dtor}

=sRW@=

</asmv3:windowsSettings>

psvOld

<CrtImplementationDetails>.DefaultDomain.DoNothing

set_Target

ju1p]

({b3A

?A0x2442659e.??__E?InitializedPerAppDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ

?A0x00a411d4.?pfnDecodePointer@?1??_decode_pointer@@YAPEAXPEAX@Z@4P6APEAX0@ZEA

$PTMType$QEQtagVARIANT@@I

UpdateWindow

__m2mep@?Release@CHistoryVaultMainWindow@@$$FGBI@EAAKXZ

WWW@TTToTTTsbbb

<CrtImplementationDetails>.AtExitLock._lock_Set

CHistoryVaultMainWindow.DisplayParseError

CHistoryVaultMainWindow.GetTravelLog

??_R1A@?0A@EA@IUnknown@@8

get_CurrentCulture

$ArrayType$$$BY0O@$$CBD

System.Runtime.ExceptionServices

set_MainWindowHandle

[[[d\\\a\\\a[[[daaa

CUpButtonEventHandlerWrapper

__m2mep@?GetViewStateStream@CHistoryVaultMainWindow@@$$FEEAAJKPEAPEAUIStream@@@Z

CHistoryVaultMainWindow.Release

System.Reflection

_GUID_000214e2_0000_0000_c000_000000000046

?A0x2442659e.?Initialized$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

AddValue

DataContextChangedEventHandler

Microsoft.VisualC

CHistoryVaultMainWindow.CreateStaticParent

??_R3IUnknown@@8

'$<aC

^^^oVVVAiii

The C++ module failed to load.

IShellView

_IMAGELIST

Gdiplus.Brush.__vecDelDtor

<CrtImplementationDetails>.LanguageSupport.InitializePerAppDomain

CoCreateGuid

__m2mep@?GetPalette@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUHPALETTE__@@@Z

RtlVirtualUnwind

.CRTMP$XCA

??3@YAXPEAX@Z

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAN@ATL@@2QEQtagVARIANT@@PEANEQ3@@@YMXXZ

gcroot<System::String ^>.{dtor}

?pmField@?$CVarTypeInfo@PEAH@ATL@@2QEQtagVARIANT@@PEAHEQ3@

CHistoryVaultMainWindow.FreeGDIResources

CHistoryVaultMainWindow.KeyboardCallback

pdwFlags

CLSID_TravelBand

LanguageSupport

__unep@?s_TBWndProc@CAddressBarButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

ErrorPageDisplayed

System

get_IsContentLoaded

__m2mep@?QueryInterface@CHistoryVaultMainWindow@@$$FEEAAJAEBU_GUID@@PEAPEAX@Z

IDATHx

tagBNSTATE

uFlags

__m2mep@?Release@CTravelLog@@$$FUEAAKXZ

.CRT$XCA

GpBrush

??_R1A@?0A@EA@IShellBrowser@@8

KERNEL32.dll

--- Start of primary exception ---

OleInitialize

??_R3CHistoryVaultMainWindow@@8

__m2mep@?SendControlMsg@CHistoryVaultMainWindow@@$$FEEAAJII_K_JPEA_J@Z

?A0x08c00bb6.StringCopyWorkerW

OOO UUUz<<<?

fShow

?A0x2442659e.__xi_vt_z

GetSubMenu

Gdiplus.SolidBrush.__vecDelDtor

tagOleMenuGroupWidths

?A0xc9aae6d9.c_settingstbb

__m2mep@?QueryInterface@CTravelLog@@$$FUEAAJAEBU_GUID@@PEAPEAX@Z

?InitializedNative@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A

ShowAdvancedSettingsDialog

IObjectWithSite

`.nep

UnhandledExceptionFilter

CAddressBarButton.{ctor}

get_ExitMenuItem

ExitApplication

DefWindowProcW

RectF

CHistoryVaultMainWindow.OnInitWindow

??_C@_1CA@BPIDFFJM@?$AAT?$AAo?$AAo?$AAl?$AAb?$AAa?$AAr?$AAW?$AAi?$AAn?$AAd?$AAo?$AAw?$AA3?$AA2?$AA?$AA@

?Release@CHistoryVaultMainWindow@@$$FGBI@EAAKXZ

UnmanagedCode

The C++ module failed to load during vtable initialization.

System.Diagnostics

Gdiplus.?A0x0c2d36e8.GenericMonospaceFontFamilyBuffer

??_C@_1O@ELLBDENI@?$AAS?$AAT?$AAA?$AAT?$AAI?$AAC?$AA?$AA@

Int32

VS_VERSION_INFO

?pmField@?$CVarTypeInfo@_J@ATL@@2QEQtagVARIANT@@_JEQ3@

Gdiplus.GdiplusBase.delete

CHistoryVaultMainWindow.QueryService

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@K@ATL@@2P6MXXZEA

uIdSubclass

lNavFlags

CHistoryVaultMainWindow.OnViewWindowActive

RuntimeTypeHandle

.CRT$XCZ

Gdiplus.Graphics.FillRectangle

EnterContextMenuMode

HelpAboutCommand

@y^EQHk

The C++ module failed to load while attempting to initialize the default appdomain.

ExitContextMenuMode

PostQuitMessage

pDtor

Microsoft.Windows.DataProtection.UI.Helpers

??_C@_1CA@CCMEIDOJ@?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs?$AA?5?$AAb?$AAu?$AAt?$AAt?$AAo?$AAn?$AA?$AA@

Exception

get_ModuleHandle

$_TypeDescriptor$_extraBytes_30

ValueType

??_R0?AUIServiceProvider@@@8

SendMessageW

get_FolderViewTypeMediumIcons

D.W _(P*

$ArrayType$$$BY06$$CBG

Home button

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAPEAUIDispatch@@@ATL@@2QEQtagVARIANT@@PEAPEAUIDispatch@@EQ3@@@YMXXZ

__m2mep@?GetNavigateState@CHistoryVaultMainWindow@@$$FEEAAJPEAW4tagBNSTATE@@@Z

CHistoryVaultMainWindow.SetStatusTextSB

wParam

?IsDefaultDomain@CurrentDomain@<CrtImplementationDetails>@@$$Q2_NA

.data

yvmlcaX

value__

<CrtImplementationDetails>.AtExitLock._lock_Destruct

__m2mep@?StaticWndProc@CHistoryVaultMainWindow@@$$FCA_JPEAUHWND__@@I_K_J@Z

^^^+iii

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAE@ATL@@2P6MXXZEA

_s__RTTIBaseClassDescriptor2

Refresh button

pfShown

$ArrayType$$$BY0P@Q6AXXZ

Microsoft.Windows.DataProtection.Common.Tracing

SSS=ZZZ"ZZZ"SSS=eee

memset

set_pt_x

Color

CLSCompliantAttribute

__unep@?s_TravelWndProc@@$$FYA_JPEAUHWND__@@I_K_J@Z

??_C@_1O@MOBNNEMB@?$AAB?$AAU?$AAT?$AAT?$AAO?$AAN?$AA?$AA@

CHistoryVaultMainWindow.Refresh

Microsoft.Windows.DataProtection.UI.Controls.Primitives

UUUY]]]

SearchUsageCount

GlobalSettings

?pmField@?$CVarTypeInfo@PEAN@ATL@@2QEQtagVARIANT@@PEANEQ3@

ccc)fff

HMENU__

F!N!X!_!i!s!

GetProcAddress

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAH@ATL@@2QEQtagVARIANT@@PEAHEQ3@@@YMXXZ

Gdiplus.?A0x0c2d36e8.GenericMonospaceFontFamily

System.Threading

CHistoryVaultMainWindow.GetHistoryObject

ProductName

__m2mep@?Refresh@CHistoryVaultMainWindow@@$$FEEAAJJ@Z

IItemStore

.CRTMA$XCA

??_C@_1BI@JPEGEELN@?$AAH?$AAo?$AAm?$AAe?$AA?5?$AAb?$AAu?$AAt?$AAt?$AAo?$AAn?$AA?$AA@

CatalogAttachCount

Consistency

AssemblyCopyrightAttribute

TTTpVVVA

__m2mep@?GetTitle@CHistoryVaultMainWindow@@$$FEEAAJPEAUIShellView@@PEAGK@Z

CHistoryVaultMainWindow.GetWindow

__FrameUnwindFilter

?A0x2442659e.__xc_mp_a

.idata$6

$PTMType$QEQtagVARIANT@@PEAD

??_C@_1BO@BDBBOKAG@?$AAR?$AAe?$AAf?$AAr?$AAe?$AAs?$AAh?$AA?5?$AAb?$AAu?$AAt?$AAt?$AAo?$AAn?$AA?$AA@

??_R2SolidBrush@Gdiplus@@8

0;\bj

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@I@ATL@@2P6MXXZEA

2t3+2

]TpH}j!

CAddressBarButtonEventHandlerWrapper

GdipFree

set_LocaleNameMaxLength

Microsoft.Windows.DataProtection.UI.Controls

$PTMType$QEQtagVARIANT@@G

__m2mep@?UpdateExternal@CTravelLog@@$$FUEAAJPEAUIUnknown@@0@Z

?A0x47ab7201.?End@?1??IsPointerInMsvcrtDll@?A0x47ab7201@@YAHPEAXPEAH@Z@4PEAXEA

(j3[(.

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@H@ATL@@2QEQtagVARIANT@@HEQ3@@@YMXXZ

WinMain

D$HE3

CHistoryVaultMainWindow.GoForward

Microsoft.Windows.DataProtection.UI.Theming

CHistoryVaultMainWindow.CreateAddressBarButton

pszTitle

/n}$l

.?AVSolidBrush@Gdiplus@@

[U`M2

$PTMType$QEQtagVARIANT@@PEAPEAUIUnknown@@

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAUIDispatch@@@ATL@@2QEQtagVARIANT@@PEAUIDispatch@@EQ3@@@YMXXZ

GdipCreateSolidFill

language="*"

CHistoryVaultMainWindow.CreateAddressBarComboBox

CallNextHookEx

# _(PM

?pmField@?$CVarTypeInfo@PEAK@ATL@@2QEQtagVARIANT@@PEAKEQ3@

FileVersion

CallMsgFilterW

__m2mep@?TranslateAcceleratorSB@CHistoryVaultMainWindow@@$$FEEAAJPEAUtagMSG@@G@Z

CommandsProxy

from the system APIs, such as the GetSystemMetric function. DWM Scaling also introduces bluriness and can cause

,7|6&

XVUQ999

gcroot<CUpButtonEventHandlerWrapper ^>.{dtor}

CTravelLog.GetTravelEntry

vY~^;

get_UpButtonTooltipDisabledState

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::AddressBarButtonTooltipConverter ^>.{dtor}

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEA_J@ATL@@2P6MXXZEA

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

jXJ :

(jXJ(

Thickness

_s__RTTICompleteObjectLocator2

8jXL)D

CHomeButton

Delete

Address

xwxxww

</dependentAssembly>

CHistoryVaultMainWindow.SendControlMsg

hfd{RQOA

AddressBarButton

__m2mep@?GetBrowserIndex@CHistoryVaultMainWindow@@$$FEEAAKXZ

__m2mep@?RegisterWindow@CHistoryVaultMainWindow@@$$FEEAAJHH@Z

@Qm6t

.`~;W"Po

__onexitend_app_domain

HPALETTE__

ApplicationState

_ModuleUninitializer

0jXL:

v4.0.30319

<CrtImplementationDetails>.LanguageSupport.{dtor}

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

idsTemplate

__m2mep@?NavigateTravelLog@CHistoryVaultMainWindow@@$$FEEAAJJ@Z

??_R0?AVSolidBrush@Gdiplus@@@8

b`^f999

CommandExecutedEventHandler

AddressBarButtonToolbar

.?AUIOleWindow@@

IsJitIntrinsic

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@N@ATL@@2QEQtagVARIANT@@NEQ3@@@YMXXZ

s_pfnTravelBandOldProc

??_C@_1CG@KIFEMMLM@?$AAA?$AAd?$AAd?$AAr?$AAe?$AAs?$AAs?$AAB?$AAa?$AAr?$AAC?$AAo?$AAm?$AAb?$AAo?$AAB?$AAo?$AAx?$AA?$AA@

??_R1BI@?0A@EN@IServiceProvider@@8

GdipCreateFromHDC

$PTMType$QEQtagVARIANT@@PEAI

?A0x47ab7201.GetDllBaseAndSizeFromAddress

GetType

CTravelLog.Release

Gdiplus.?A0x0c2d36e8.GenericSansSerifFontFamilyBuffer

GDI32.dll

??_R1A@?0A@EA@CHistoryVaultMainWindow@@8

__m2mep@?BrowseObject@CHistoryVaultMainWindow@@$$FEEAAJPEFBU_ITEMIDLIST_RELATIVE@@I@Z

CTravelLog.CountEntries

processorArchitecture="*"/>

_ITEMIDLIST_ABSOLUTE

InvalidateRect

Gdiplus

$ArrayType$$$BY0BH@Q6AXXZ

hjXL)

CHistoryVaultMainWindow.TranslateAcceleratorSB

__m2mep@?AddEntry@CTravelLog@@$$FUEAAJPEAUIUnknown@@H@Z

pwszPath

Up Button

FileHistory.exe

$PTMType$QEQtagVARIANT@@PEATtagCY@@

NavigateUp

??_R1A@?0A@EA@ITravelLog@@8

fhuxapi

UUUnWWW@TTToTTTs```

ReliabilityContractAttribute

CTravelLog.Revert

VirtualKey

GdipCloneBrush

_GUID_dfbc7e30_f9e5_455f_88f8_fa98c1e494ca

$jXJ:

?A0x103fe9b9.__alloc_global_lock

TTTpTTTp

?pmField@?$CVarTypeInfo@PEAUIDispatch@@@ATL@@2QEQtagVARIANT@@PEAUIDispatch@@EQ3@

CHistoryVaultMainWindow.UpdateWindowList

H3E H3E

CHistoryVaultMainWindow.SetToolbarItems

InternalName

__m2mep@?OnViewWindowActive@CHistoryVaultMainWindow@@$$FEEAAJPEAUIShellView@@@Z

X,FGG

malloc

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAF@ATL@@2P6MXXZEA

__m2mep@?InsertMenusSB@CHistoryVaultMainWindow@@$$FEEAAJPEAUHMENU__@@PEAUtagOleMenuGroupWidths@@@Z

NextVersionButtonMultiJumpCount

CUpButton

IHG1][Y

ModuleLoadExceptionHandlerException

$_TypeDescriptor$_extraBytes_17

DebuggerStepThroughAttribute

CCCDc1

FolderRestoreClickCount

.rsrc$02

?A0x2442659e.__xc_ma_a

VersionsJumped

ImplicitAllLibrariesSelectionCount

_unlock

__m2mep@?GetTravelLog@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUITravelLog@@@Z

get_SearchString

GetDC

Bt16l%

__m2mep@?Revert@CTravelLog@@$$FUEAAJXZ

CAtlReleaseManagedClassFactories

version="6.0.0.0"

CAddressBarButton.UpdateToolbar

idLast

en-US

_ITEMIDLIST_RELATIVE

String

??_R3Brush@Gdiplus@@8

--- End of nested exception ---

kernel32.dll

pbnstate

CHistoryVaultMainWindow.GetPidl

PreviewPageState

DataContextChangedEventArgs

CommandsListener

.text$di

OnCommandExecuted

WWW@|||

gcroot<CAddressBarButtonEventHandlerWrapper ^>.{dtor}

CAddressBarButton.GetInitialWidth

BasicResources

<CrtImplementationDetails>.LanguageSupport.InitializePerProcess

??_C@_0P@OEFGOMJK@kernelbase?4dll?$AA@

__m2mep@?QueryInterface@CHistoryVaultMainWindow@@$$FGBI@EAAJAEBU_GUID@@PEAPEAX@Z

GetCurrentProcessId

PrepareConstrainedRegions

__m2mep@?Release@CHistoryVaultMainWindow@@$$FG7EAAKXZ

<CrtImplementationDetails>.AtExitLock.AddRef

GpGraphics

$_s__RTTIBaseClassArray$_extraBytes_24

$PTMType$QEQtagVARIANT@@PEAH

?InitializedPerProcess@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A

EventArgs

>d:\os\public\amd64fre\internal\strongnamekeys\fake\windows.snk

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@_K@ATL@@2QEQtagVARIANT@@_KEQ3@@@YMXXZ

MapWindowPoints

tagLOGFONTW

NextVersionSliderSingleJumpCount

$PTMType$QEQtagVARIANT@@J

__m2mep@?_UninitializeDefaultDomain@LanguageSupport@<CrtImplementationDetails>@@$$FCAJPEAX@Z

Module

?A0x2442659e.??__E?InitializedPerProcess@CurrentDomain@<CrtImplementationDetails>@@$$Q2W4State@Progress@2@A@@YMXXZ

<backing_store>NestedException

codedptr

WinMainCRTStartup

IShellItem

<CrtImplementationDetails>.LanguageSupport.DomainUnload

??_R3GdiplusBase@Gdiplus@@8

UILaunchType

WriteLine

$_TypeDescriptor$_extraBytes_26

QQQ/eee

COMBOBOX

upButton

--- Start of nested exception ---

set_lParam

.CRTMA$XCC

Gdiplus.Brush.Clone

??_C@_1CA@CPFIBLAA@?$AAS?$AAe?$AAt?$AAt?$AAi?$AAn?$AAg?$AAs?$AAT?$AAo?$AAo?$AAl?$AAB?$AAa?$AAr?$AA?$AA@

SearchRestoreToCount

?A0x0c2d36e8.?pmField$initializer$@?$CVarTypeInfo@PEAPEAG@ATL@@2P6MXXZEA

?A0x2442659e.?InitializedPerProcess$initializer$@CurrentDomain@<CrtImplementationDetails>@@$$Q2P6MXXZEA

%BOW7Cg

TTTsUUUnRRR>

Microsoft.Windows.DataProtection.Common.Native

.CRT$XIZ

?pmField@?$CVarTypeInfo@D@ATL@@2QEQtagVARIANT@@DEQ3@

$_TypeDescriptor$_extraBytes_25

??_C@_1DA@JLJODAGM@?$AAA?$AAd?$AAd?$AAr?$AAe?$AAs?$AAs?$AAB?$AAa?$AAr?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAT?$AAo?$AAo?$AAl?$AAb?$AAa?$AAr?$AA?$AA@

??_R0?AVCTravelLog@@@8

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAPEAUIUnknown@@@ATL@@2QEQtagVARIANT@@PEAPEAUIUnknown@@EQ3@@@YMXXZ

HomeButtonToolbar

__m2mep@?GetHistoryObject@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAUIOleObject@@PEAPEAUIStream@@PEAPEAUIBindCtx@@@Z

??_7CHistoryVaultMainWindow@@6BIServiceProvider@@@

Microsoft.Windows.DataProtection.Adapters

$ArrayType$$$BY0A@P6AXXZ

__m2mep@?SetFlags@CHistoryVaultMainWindow@@$$FEEAAJKK@Z

InitializeGdiplus

EncodePointer

??_R2IShellNavigationTarget@@8

get_RestoreOnLoad

!This program cannot be run in DOS mode.

??_R17?0A@EJ@IOleWindow@@8

.?AVBrush@Gdiplus@@

CHistoryVaultMainWindow.NavigateToUrl

jXL(#

VVVD___

fU-m~

GetTypeFromHandle

System.Globalization

UUUx555>

Gdiplus.SolidBrush.{ctor}

$ArrayType$$$BY0BI@$$CBG

STAThreadAttribute

!(!.!7!<!

b055i

pszFunction

I$A*;

$PTMType$QEQtagVARIANT@@PEAUIDispatch@@

System.Security

CUpButton.s_TBWndProc

USER32.dll

??_R1A@?0A@EA@IOleWindow@@8

__unep@?s_TBWndProc@CUpButton@@$$FSA_JPEAUHWND__@@I_K_J11@Z

$PTMType$QEQtagVARIANT@@PEAPEAG

IViewFilters

gcroot<Microsoft::Windows::DataProtection::UI::Controls::Primitives::FolderPreviewTypeMenuItemsVisibilityConverter ^>

?A0x00a411d4.?fInitialized@?1??_encode_pointer@@YAPEAXPEAX@Z@4_NA

get_LayoutRoot

GCHandle

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAG@ATL@@2QEQtagVARIANT@@PEAGEQ3@@@YMXXZ

pfend

TTTsTTTo

@jXLU

999!999-999-999-

get_ViewMenuItem

<CrtImplementationDetails>.LanguageSupport.InitializeDefaultAppDomain

??_C@_1CA@NGFNLPJB@?$AAU?$AAp?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAT?$AAo?$AAo?$AAl?$AAb?$AAa?$AAr?$AA?$AA@

trrurs

??_C@_1BG@MMDOIEGK@?$AAT?$AAr?$AAa?$AAv?$AAe?$AAl?$AAB?$AAa?$AAn?$AAd?$AA?$AA@

IFreezableCollection`1

CHistoryVaultMainWindow.BrowseObject

RRR>WWW#WWW#RRR>jjj

<CrtImplementationDetails>.LanguageSupport.InitializeNative

OutOfMemoryException

SetWindowSubclass

Settings button

f9H\u

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@G@ATL@@2QEQtagVARIANT@@GEQ3@@@YMXXZ

set_wParam

__ponexitbegin_e

_errno

LoadImageW

color

RestoreToButtonClickCount

??_C@_0N@MDJJJHMB@kernel32?4dll?$AA@

CHomeButton.s_TBWndProc

SID_STopLevelBrowser

__pobjMapEntryLast

__m2mep@?NavigateToPidl@CHistoryVaultMainWindow@@$$FEEAAJPEBU_ITEMIDLIST_ABSOLUTE@@J@Z

2w3+2

J csm

Unloaded

</requestedPrivileges>

GetCurrentProcess

??_C@_1BC@LGNOKEPM@?$AAC?$AAO?$AAM?$AAB?$AAO?$AAB?$AAO?$AAX?$AA?$AA@

xul\caX

Loaded

CHistoryVaultMainWindow.RegisterWindow

x~#^7

CHistoryVaultMainWindow.GetNavItemTitle

lH8o]

GetLocalizedPath

get_UpButtonTooltip

IsEqualGUID

__m2mep@?PopulateTravelLog@CHistoryVaultMainWindow@@$$FEEAAJPEAUIShellTravelLogUI@@@Z

</assembly>

ImageList_LoadImageW

__native_dllmain_reason

__m2mep@?AddRef@CHistoryVaultMainWindow@@$$FEEAAKXZ

Translation

get_MainWindowMinimumWidth

__ehvec_dtor

$_TypeDescriptor$_extraBytes_15

?pmField@?$CVarTypeInfo@G@ATL@@2QEQtagVARIANT@@GEQ3@

__pexit_list_size

CHistoryVaultMainWindow.CreateTravelBand

CHistoryVaultMainWindow.IsControlWindowShown

ATL$__z

get_FolderViewTypeSmallIcons

OleUninitialize

CHistoryVaultMainWindow.{dtor}

__m2mep@?GetPropertyBag@CHistoryVaultMainWindow@@$$FEEAAJKAEBU_GUID@@PEAPEAX@Z

(LMMq

get_IsRestoring

AssemblyKeyFileAttribute

CHistoryVaultMainWindow.AddTravelEntry

IShellNavigationTarget

get_Item

.ctor

xg9b[1

SingleInstanceHelper

get_CurrentIndex

?pmField@?$CVarTypeInfo@F@ATL@@2QEQtagVARIANT@@FEQ3@

CHistoryVaultMainWindow.InsertMenusSB

I$a&;

?Count@AllDomains@<CrtImplementationDetails>@@2HA

CHistoryVaultMainWindow.GetViewItems

?A0x2442659e.__xi_vt_a

<asmv3:application>

ProductVersion

ComboBox

WinSqmSetDWORD

{0}: {1}

WinSqmEndSession

??_R4CHistoryVaultMainWindow@@6BIShellNavigationTarget@@@

__m2mep@?UpdateEntry@CTravelLog@@$$FUEAAJPEAUIUnknown@@H@Z

VVVgRRR

??_C@_1DC@FGGDFKHE@?$AAC?$AAO?$AAw?$AAn?$AAe?$AAr?$AAD?$AAr?$AAa?$AAw?$AAP?$AAo?$AAp?$AAu?$AAp?$AAM?$AAe?$AAn?$AAu?$AA_?$AAT?$AAh?$AAi?$AAs?$AA?$AA@

Enter

ShowWindow

ATL.CAtlComModule.Term

_onexit

.CRT$XIAA

tagPOINT

urstqr

op_Equality

get_FolderViewTypeLargeIcons

CSettingsButton.ToolBarButtonDropDown

??_R17?0A@EA@GdiplusBase@Gdiplus@@8

TTTsTTTsTTTsTTTs

__pobjMapEntryFirst

??_7type_info@@6B@

Windows

_getptd_noexit

$PTMType$QEQtagVARIANT@@N

IsBoxed

IsImplicitlyDereferenced

__m2mep@?UpdateBackForwardState@CHistoryVaultMainWindow@@$$FEEAAJXZ

PreviousState

" F K z

VVVDTTT

?A0x973da13b.SQM_NULL_STRING_ENTRY

get_FolderViewTypeContent

Invoke

??_R1A@?0A@EA@GdiplusBase@Gdiplus@@8

.idata$2

?A0xc2488d5d.c_hometbb

VVVDTTTsVVVD

CAddressBarButton._UpdateToolbar

.CRT$XCL

__m2mep@?SetToolbarItems@CHistoryVaultMainWindow@@$$FEEAAJPEAU_TBBUTTON@@II@Z

_RTL_CRITICAL_SECTION

<CrtImplementationDetails>.ThisModule.Handle

set_message

mainWindow

U)3t3+2Richu3+2

??_R1BA@?0A@EN@IShellBrowserService@@8

CheckMenuRadioItem

get_Height

methodToken

FixedAddressValueTypeAttribute

CHistoryVaultMainWindow.SetNavigateState

ATL.?A0x0c2d36e8.szValToken

y}UU9|

HomeButtonClickCount

DataContextElementBase

CSettingsButton._UpdateToolbar

.xdata

?pmField@?$CVarTypeInfo@TtagCY@@@ATL@@2QEQtagVARIANT@@TtagCY@@EQ3@

High Contrast White

ATL._AtlReleaseManagedClassFactories

CTravelLog.AddEntry

?A0xc9aae6d9.c_rgSettingsToolbarInfo

.?AVCTravelLog@@

jXL)?

OptionsRestoreClickCount

System.Runtime.InteropServices

Microsoft.Windows.DataProtection.Common.Sqm

$jXJ(

$_TypeDescriptor$_extraBytes_23

.?AUIShellNavigationTarget@@

ZZZe[[[FWWW

Operating System

IsRestoreSession

?QueryInterface@CHistoryVaultMainWindow@@$$FGBI@EAAJAEBU_GUID@@PEAPEAX@Z

$_s__RTTIBaseClassArray$_extraBytes_16

CTravelLog.UpdateEntry

U/3`3+2

wwwwx

hInstance

?A0x47ab7201.?Begin@?1??IsPointerInMsvcrtDll@?A0x47ab7201@@YAHPEAXPEAH@Z@4PEAXEA

_cexit

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@J@ATL@@2QEQtagVARIANT@@JEQ3@@@YMXXZ

?pmField@?$CVarTypeInfo@PEAPEAG@ATL@@2QEQtagVARIANT@@PEAPEAGEQ3@

.?AVGdiplusBase@Gdiplus@@

??_R0?AUIShellBrowser@@@8

?A0xd2a78b63.SQM_NULL_STRING_ENTRY

??_C@_1CE@ECAONFMJ@?$AAH?$AAo?$AAm?$AAe?$AAB?$AAu?$AAt?$AAt?$AAo?$AAn?$AAT?$AAo?$AAo?$AAl?$AAb?$AAa?$AAr?$AA?$AA@

System.Collections.Generic

VVVDVVVDxxx

GetLastError

__m2mep@?IsControlWindowShown@CHistoryVaultMainWindow@@$$FEEAAJIPEAH@Z

_commode

$ArrayType$$$BY00$$CBU_TBBUTTON@@

get_SettingsButtonTooltip

!.MD.

_amsg_exit

rguid1

RuntimeHelpers

?terminate@@YAXXZ

lpnmTB

$ArrayType$$$BY0L@$$CBG

fIsLocalAnchor

?pmField@?$CVarTypeInfo@H@ATL@@2QEQtagVARIANT@@HEQ3@

jXL D

IShellBrowserService

fEnable

.rdata$ilfixup

OptionsRestoreToClickCount

holemenu

__set_formal

jXL)F

get_Current

HistoryButtonMenuItemTextConverter

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEAF@ATL@@2QEQtagVARIANT@@PEAFEQ3@@@YMXXZ

AddressBarGoClickCount

lParam

ReAllocHGlobal

SearchPageState

<CrtImplementationDetails>.DefaultDomain.NeedsInitialization

tagTPMPARAMS

Gdiplus.?A0x0c2d36e8.GenericDefaultStringFormatBuffer

HDC__

?pmField@?$CVarTypeInfo@PEATtagCY@@@ATL@@2QEQtagVARIANT@@PEATtagCY@@EQ3@

set_ApplicationIcon

RuntimeMethodHandle

ToolbarWindow32

ppUnk

get_SettingsMenuItem

ggg~___(UUU

??_R0?AVGdiplusBase@Gdiplus@@@8

?A0x0c2d36e8.??__E?pmField@?$CVarTypeInfo@PEA_J@ATL@@2QEQtagVARIANT@@PEA_JEQ3@@@YMXXZ

`.rdata

__m2mep@?GetPidl@CHistoryVaultMainWindow@@$$FEEAAJPEAPEAU_ITEMIDLIST_ABSOLUTE@@@Z

CUpButton.UpdateButtonEnabledState

jXL)<

__m2mep@??_ESolidBrush@Gdiplus@@$$FUEAAPEAXI@Z

AddContentControl

$ArrayType$$$BY04$$CBU_TBBUTTON@@

__get_default_appdomain

UTRQomi

CTravelLog.AddRef

?A0x47ab7201.IsPointerInMsvcrtDll

IsNullOrEmpty

Filename	e0333c0c168b9ee62b0a32853e786862c8cf9b28ac9f37e8373a853c98326f1e
File Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Associated Filenames	aa496b2255a27150c56ef82d7c9d4cd0164067ec69e837ce2931b962a490f34f
File Size	341504 bytes
MD5	8f08529b74e248f4d96de0621fa79f61
SHA1	a2c38351bae336960154dc30ef4b2ce1e1dc3dda
SHA256	e0333c0c168b9ee62b0a32853e786862c8cf9b28ac9f37e8373a853c98326f1e [VT] [MWDB] [Bazaar]
SHA3-384	7196f4e656e3298f674265676a7d19cb7d55e63f2d5dd2c6ce41adccc1e275a55b3962dc9cefbaa5f02a73028890c789
CRC32	C8BAF773
TLSH	T1F0743A197E708A74DD6D4532CC2E86885272DDEB1F2257E31190FFBE19F22C896352CA
Ssdeep	6144:yWWu8lZUxzYuVD8ortIxAGJuyobdY1JlKziyBY5FDSf:ylZUlrtIJobd0JNS
PE DotNET	File Strings Bingraph Vba2Graph VirusTotal

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x00008492	0x0004c549	0x0004c549	10.0	FileHistory.pdb	2005-07-16 02:36:46	d23b5cb8cdf319c998c4444e880b8944		8c93351e73784bd04235119bfae0bb95	9d27a003cc9e7f75bc33bb21af49a342	64646464dccc8ccd

Version Infos

CompanyName	Microsoft Corporation
FileDescription	File History
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	FileHistory.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	FileHistory.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0000764b	0x00007800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.41
.nep	0x00007c00	0x00009000	0x00000b00	0x00000c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	3.12
.rdata	0x00008800	0x0000a000	0x00016998	0x00016a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.16
.data	0x0001f200	0x00021000	0x00001720	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.74
.pdata	0x0001fe00	0x00023000	0x00000138	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.79
.rsrc	0x00020000	0x00024000	0x0001d0a8	0x0001d200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.29
.reloc	0x0003d200	0x00042000	0x00000124	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	3.69

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00040fd0	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_BITMAP	0x00039890	0x0000102a	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.18	None
RT_BITMAP	0x0003a8c0	0x0000192a	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.12	None
RT_BITMAP	0x0003c1f0	0x0000242a	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.07	None
RT_BITMAP	0x0003e620	0x000014d4	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.15	None
RT_BITMAP	0x0003faf8	0x000014d4	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.88	None
RT_ICON	0x00024e88	0x0000561e	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.96	None
RT_ICON	0x0002a4a8	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.12	None
RT_ICON	0x0002e6d0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.27	None
RT_ICON	0x00030c78	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.30	None
RT_ICON	0x000326e0	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.36	None
RT_ICON	0x00033788	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.66	None
RT_ICON	0x00034110	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.70	None
RT_ICON	0x000347c8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.23	None
RT_ICON	0x00034ca8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.12	None
RT_ICON	0x00035630	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.01	None
RT_ICON	0x00035ac0	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.89	None
RT_ICON	0x00036448	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None
RT_ICON	0x000368d8	0x000001e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.58	None
RT_ICON	0x00036ac0	0x000001a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.19	None
RT_ICON	0x00036c68	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_ICON	0x00036d90	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.10	None
RT_ICON	0x00037458	0x00000608	LANG_ENGLISH	SUBLANG_ENGLISH_US	0.83	None
RT_ICON	0x00037a60	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	0.74	None
RT_ICON	0x00037fc8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.60	None
RT_ICON	0x00038950	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.37	None
RT_ICON	0x00039008	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.55	None
RT_GROUP_ICON	0x00034c30	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_GROUP_ICON	0x00035a98	0x00000022	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.50	None
RT_GROUP_ICON	0x000368b0	0x00000022	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_GROUP_ICON	0x00039470	0x00000084	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.03	None
RT_VERSION	0x000394f8	0x00000398	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None
RT_MANIFEST	0x000246e0	0x000007a5	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.83	None

Imports

Name	Address
memset	0x14000a2c0
__C_specific_handler	0x14000a2c8
_callnewh	0x14000a2d0
malloc	0x14000a2d8
_errno	0x14000a2e0
_XcptFilter	0x14000a2e8
_unlock	0x14000a2f0
_amsg_exit	0x14000a2f8
__getmainargs	0x14000a300
__set_app_type	0x14000a308
exit	0x14000a310
_exit	0x14000a318
?terminate@@YAXXZ	0x14000a320
_onexit	0x14000a328
__dllonexit	0x14000a330
??3@YAXPEAX@Z	0x14000a338
_lock	0x14000a340
??1type_info@@UEAA@XZ	0x14000a348
_commode	0x14000a350
_fmode	0x14000a358
_acmdln	0x14000a360
_initterm	0x14000a368
__setusermatherr	0x14000a370
_ismbblead	0x14000a378
_cexit	0x14000a380

Name	Address
RtlCaptureContext	0x14000a390
RtlLookupFunctionEntry	0x14000a398
RtlVirtualUnwind	0x14000a3a0
WinSqmIsOptedIn	0x14000a3a8
WinSqmStartSession	0x14000a3b0
WinSqmSetDWORD	0x14000a3b8
WinSqmSetString	0x14000a3c0
WinSqmEndSession	0x14000a3c8

Name	Address
VirtualQuery	0x14000a060
GetVersion	0x14000a068
SetLastError	0x14000a070
GetProcAddress	0x14000a078
GetModuleHandleA	0x14000a080
InitializeCriticalSection	0x14000a088
DeleteCriticalSection	0x14000a090
GetLastError	0x14000a098
Sleep	0x14000a0a0
GetStartupInfoW	0x14000a0a8
SetUnhandledExceptionFilter	0x14000a0b0
GetModuleHandleW	0x14000a0b8
QueryPerformanceCounter	0x14000a0c0
GetCurrentProcessId	0x14000a0c8
GetCurrentThreadId	0x14000a0d0
GetSystemTimeAsFileTime	0x14000a0d8
GetTickCount	0x14000a0e0
UnhandledExceptionFilter	0x14000a0e8
GetCurrentProcess	0x14000a0f0
TerminateProcess	0x14000a0f8

Name	Address
MapWindowPoints	0x14000a120
CheckMenuRadioItem	0x14000a128
CreateMenu	0x14000a130
GetSubMenu	0x14000a138
TrackPopupMenuEx	0x14000a140
AppendMenuW	0x14000a148
GetDC	0x14000a150
SendMessageW	0x14000a158
GetClientRect	0x14000a160
SetWindowPos	0x14000a168
ShowWindow	0x14000a170
GetSysColor	0x14000a178
CreateWindowExW	0x14000a180
SetWindowTextW	0x14000a188
ReleaseDC	0x14000a190
LoadImageW	0x14000a198
GetMessageW	0x14000a1a0
DispatchMessageW	0x14000a1a8
SystemParametersInfoW	0x14000a1b0
CallWindowProcW	0x14000a1b8
CallNextHookEx	0x14000a1c0
GetFocus	0x14000a1c8
GetKeyState	0x14000a1d0
SetWindowLongPtrW	0x14000a1d8
LoadIconW	0x14000a1e0
SetWindowsHookExW	0x14000a1e8
DestroyWindow	0x14000a1f0
PostQuitMessage	0x14000a1f8
DefWindowProcW	0x14000a200
LoadCursorW	0x14000a208
RegisterClassExW	0x14000a210
UpdateWindow	0x14000a218
TranslateMessage	0x14000a220
CallMsgFilterW	0x14000a228
InvalidateRect	0x14000a230

Name	Address
CreateSolidBrush	0x14000a038
DeleteObject	0x14000a040
CreateFontW	0x14000a048
GetDeviceCaps	0x14000a050

Name	Address
_CorExeMain	0x14000a2a8
CorBindToRuntimeEx	0x14000a2b0

Name	Address
CoCreateInstance	0x14000a3d8
OleUninitialize	0x14000a3e0
OleInitialize	0x14000a3e8
CoCreateGuid	0x14000a3f0

Name	Address
ImageList_LoadImageW	0x14000a000
ImageList_Destroy	0x14000a008
ImageList_ReplaceIcon	0x14000a020
ImageList_Create	0x14000a028

Name	Address
OpenThemeData	0x14000a240
DrawThemeBackground	0x14000a248
CloseThemeData	0x14000a250

Name	Address

Name	Address
GdipFree	0x14000a260
GdipAlloc	0x14000a268
GdipDeleteBrush	0x14000a270
GdipDeleteGraphics	0x14000a278
GdipCreateSolidFill	0x14000a280
GdipCreateFromHDC	0x14000a288
GdipCloneBrush	0x14000a290
GdipFillRectangle	0x14000a298

Assembly Information

Name	FileHistory
Version	10.0.0.0

Assembly References

Name	Version
mscorlib	4.0.0.0
Microsoft.VisualC	10.0.0.0
System	4.0.0.0
System.Core	4.0.0.0
fhuxapi	10.0.0.0
fhuxcommon	10.0.0.0
fhuxpresentation	10.0.0.0

Custom Attributes

Type	Name	Value
Assembly	[mscorlib]System.Reflection.AssemblyCopyrightAttribute	Copyright (c) Microsoft Corporation. All rights reserve
Assembly	[mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute	.NETFramework,Version=v4
Assembly	[mscorlib]System.Reflection.AssemblyCompanyAttribute	Microsoft Corporati
Assembly	[mscorlib]System.Reflection.AssemblyKeyFileAttribute	d:\os\public\amd64fre\internal\strongnamekeys\fake\windows.s
Assembly	[mscorlib]System.Reflection.AssemblyProductAttribute	Microsoft (R) Windows (R) Operating Syst
TypeRef	[mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute	.NETFramework,Version=v4
TypeRef	[mscorlib]System.Reflection.AssemblyProductAttribute	Microsoft (R) Windows (R) Operating Syst
TypeRef	[mscorlib]System.Reflection.AssemblyKeyFileAttribute	d:\os\public\amd64fre\internal\strongnamekeys\fake\windows.s
TypeRef	[mscorlib]System.Reflection.AssemblyCompanyAttribute	Microsoft Corporati
TypeRef	[mscorlib]System.Reflection.AssemblyVersionAttribute	10.0.0
TypeRef	[mscorlib]System.Reflection.AssemblyCopyrightAttribute	Copyright (c) Microsoft Corporation. All rights reserve

Type References

Assembly	Type Name
mscorlib	System.Runtime.CompilerServices.CallConvCdecl
mscorlib	System.Runtime.CompilerServices.IsConst
mscorlib	System.Runtime.CompilerServices.UnsafeValueTypeAttribute
mscorlib	System.Runtime.CompilerServices.NativeCppClassAttribute
mscorlib	System.ValueType
mscorlib	System.Enum
mscorlib	System.Runtime.CompilerServices.IsSignUnspecifiedByte
mscorlib	System.CLSCompliantAttribute
mscorlib	System.Runtime.CompilerServices.DecoratedNameAttribute
mscorlib	System.Runtime.CompilerServices.IsImplicitlyDereferenced
mscorlib	System.Runtime.CompilerServices.IsLong
mscorlib	System.Security.Permissions.SecurityAction
mscorlib	System.Security.Permissions.SecurityPermissionAttribute
mscorlib	System.Runtime.CompilerServices.AssemblyAttributesGoHereSM
mscorlib	System.Object
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Data.DataContextChangedEventArgs
System	System.ComponentModel.PropertyChangedEventArgs
fhuxpresentation	Microsoft.Windows.DataProtection.UI.ApplicationState
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.PreviewPageState
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.SearchPageState
fhuxpresentation	Microsoft.Windows.DataProtection.UI.IPageState
fhuxpresentation	Microsoft.Windows.DataProtection.UI.DataAdapter.ContainerVersion
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.AddressBarButtonState
mscorlib	System.String
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.AddressBar
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.AddressBarButtonTooltipConverter
mscorlib	System.Runtime.InteropServices.GCHandle
mscorlib	System.IntPtr
fhuxcommon	Microsoft.Windows.DataProtection.Common.Sqm.SqmVariables
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.LayoutRoot
mscorlib	System.Runtime.InteropServices.Marshal
mscorlib	System.Globalization.CultureInfo
mscorlib	System.Type
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.HWndLayoutElement
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.Win32ComboBoxBase
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Helpers.Localization
mscorlib	System.StringComparison
fhuxapi	Microsoft.Windows.DataProtection.Adapters.IFreezableCollection`1
fhuxpresentation	Microsoft.Windows.DataProtection.UI.DataAdapter.Version
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Data.DataContextElementBase
System	System.ComponentModel.INotifyPropertyChanged
System	System.ComponentModel.PropertyChangedEventHandler
mscorlib	System.Collections.ObjectModel.ReadOnlyCollection`1
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Data.DataContextChangedEventHandler
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Globals
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Theming.StringResources
mscorlib	System.Int32
mscorlib	System.Boolean
fhuxpresentation	Microsoft.Windows.DataProtection.Common.Native.MSG
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.HistoryButtonEnableDisableConverter
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.HistoryButtonMenuItemTextConverter
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.SearchBox
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.Input.FocusManager
mscorlib	System.Runtime.CompilerServices.IsExplicitlyDereferenced
fhuxcommon	Microsoft.Windows.DataProtection.Common.Sqm.RestoreUILaunchType
mscorlib	System.Runtime.CompilerServices.RuntimeHelpers
mscorlib	System.Collections.Generic.List`1
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.FolderPreviewViewType
fhuxpresentation	Microsoft.Windows.DataProtection.UI.GlobalSettings
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.Size
mscorlib	System.Runtime.CompilerServices.IsUdtReturn
fhuxpresentation	Microsoft.Windows.DataProtection.UI.DefaultApplicationSettings
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Helpers.WindowLocationHelper
fhuxpresentation	Microsoft.Windows.DataProtection.UI.NavigationHistory
fhuxpresentation	Microsoft.Windows.DataProtection.UI.CommandsListener
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Theming.BasicResources
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.Thickness
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.Input.VirtualKey
fhuxpresentation	Microsoft.Windows.DataProtection.Common.Native.HRESULT
fhuxpresentation	Microsoft.Windows.DataProtection.Common.Native.SSCTEXTFLAGS
fhuxpresentation	Microsoft.Windows.DataProtection.UI.CommandLineParser
mscorlib	System.Runtime.CompilerServices.IsBoxed
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.HistoryButtonTooltipConverter
System	System.Diagnostics.Debug
mscorlib	System.Threading.Interlocked
mscorlib	System.STAThreadAttribute
fhuxcommon	Microsoft.Windows.DataProtection.Common.Tracing.Logger
fhuxcommon	Microsoft.Windows.DataProtection.Common.Tracing.EventTracer
fhuxpresentation	Microsoft.Windows.DataProtection.UI.PerfTrackProxy
fhuxpresentation	Microsoft.Windows.DataProtection.UI.DataAdapter.PresentationDataAdapter
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Helpers.SingleInstanceHelper
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.CommandExecutedEventArgs
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Controls.Primitives.FolderPreviewTypeMenuItemsVisibilityConverter
mscorlib	System.IFormatProvider
fhuxpresentation	Microsoft.Windows.DataProtection.UI.Framework.Layout.CommandExecutedEventHandler
mscorlib	System.Reflection.AssemblyDelaySignAttribute
mscorlib	System.Reflection.AssemblyKeyFileAttribute
mscorlib	System.Reflection.AssemblyCompanyAttribute
mscorlib	System.Reflection.AssemblyCopyrightAttribute
mscorlib	System.Reflection.AssemblyProductAttribute
mscorlib	System.Reflection.AssemblyVersionAttribute
mscorlib	System.Runtime.InteropServices.ComVisibleAttribute
mscorlib	System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib	System.Runtime.CompilerServices.AssemblyAttributesGoHere
mscorlib	System.Runtime.CompilerServices.IsVolatile
mscorlib	System.Exception
mscorlib	System.Diagnostics.DebuggerStepThroughAttribute
mscorlib	System.Runtime.ConstrainedExecution.ReliabilityContractAttribute
mscorlib	System.Runtime.ConstrainedExecution.Consistency
mscorlib	System.Runtime.ConstrainedExecution.Cer
mscorlib	System.EventArgs
mscorlib	System.Runtime.ConstrainedExecution.PrePrepareMethodAttribute
mscorlib	System.Runtime.CompilerServices.FixedAddressValueTypeAttribute
mscorlib	System.EventHandler
mscorlib	System.GC
mscorlib	System.AppDomain
mscorlib	System.Runtime.ExceptionServices.HandleProcessCorruptedStateExceptionsAttribute
mscorlib	System.Runtime.CompilerServices.IsJitIntrinsic
mscorlib	System.OutOfMemoryException
mscorlib	System.Threading.Monitor
mscorlib	System.Runtime.Serialization.SerializationInfo
mscorlib	System.Runtime.Serialization.StreamingContext
mscorlib	System.Collections.Stack
mscorlib	System.IDisposable
mscorlib	System.Collections.IEnumerator
mscorlib	System.Delegate
mscorlib	System.RuntimeTypeHandle
mscorlib	System.ModuleHandle
mscorlib	System.RuntimeMethodHandle
mscorlib	System.Reflection.Module
mscorlib	System.Security.SuppressUnmanagedCodeSecurityAttribute

Reports: JSON

Statistics (13.20)

Usage

Processing ( 13.13 seconds )

11.665 ProcessMemory
1.39 CAPE
0.064 BehaviorAnalysis
0.006 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint
0.001 lokibot_mutexes

Reporting ( 0.02 seconds )

0.013 CAPASummary
0.003 JsonDump

Signatures

Checks available memory

The PE file contains a PDB path

pdbpath: FileHistory.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: FileHistory.exe, PID 5112

Guard pages use detected - possible anti-debugging.

Resumed a thread in another process

thread_resumed: Process filehistory.exe with process ID 5112 resumed a thread in another process with the process ID 5112

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.nep', 'raw_address': '0x00007c00', 'virtual_address': '0x00009000', 'virtual_size': '0x00000b00', 'size_of_data': '0x00000c00', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '3.12'}

Creates RWX memory

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5112 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\*
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Users\Packager\AppData\Local\Temp\FileHistory.exe.config
C:\Users\Packager\AppData\Local\Temp\FileHistory.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.localgac
C:\Users\Packager\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll.aux
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp
\Device\CNG
C:\Windows\assembly\NativeImages_v4.0.30319_64\FileHistory\*
C:\Users\Packager\AppData\Local\Temp\FileHistory.INI

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileHistory.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.