movefile64.exe

  • File Path: C:\SysinternalsSuite\movefile64.exe
  • Description: Creates pending movefile operations

Hashes

Type Hash
MD5 36249A4F073F7D3FCD6681D1CF9304D6
SHA1 30A4D28BAA5C963E26D6566A9DBF1B9FD455B0B2
SHA256 BEBA5A12B0C1A941BAA1427656FC1DA9A2674DBD6C336B0870C960E65C43A87E
SHA384 DFB1FDFD57BDD14F005193053AABFDB556CD9437471A28CD5104B475C687AA6B99215457520F5CB822020A1EB3299626
SHA512 C7427A8EC9E6617E41C7FCB532EEF0B95659C49C21D5EC43780DBD499890101032B4C7E7F815EEF3EC8F88C12FFBEA71F8AE08B60D825C4E144E1EB1D7786A3D
SSDEEP 6144:sYyyNyoNYmsdhT1NBH88x1v2CeUs5MFBD5L0e77rI5vaJchKoszTt+wgp5aE/P:sYrN9NYg8x1v2CeUs5MT5LF7lTQaEH
IMP A3DA8C3278BE3BAA96793D33C75313B5
PESHA1 DE11CA4DA9DDEC052919E967192A7E4D612C561F
PE256 C10219D45FD79D4D6820CFD2D5506E008384644EE968296C771C86E6A2ECA399

Runtime Data

Usage (stdout):


MoveFile v1.02 - Creates pending movefile operations
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

usage: movefile [/nobanner] [source] [dest]

Specifying an empty destination ("") deletes the source at boot.
/nobanner    Do not display the startup banner and copyright message.

Loaded Modules:

Path
C:\SysinternalsSuite\movefile64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000187721772155940C709000000000187
  • Thumbprint: 2485A7AFA98E178CB8F30C9838346B514AEA4769
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: movefile
  • Product Name: movefile
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.02
  • Product Version: 1.02
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2001-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/beba5a12b0c1a941baa1427656fc1da9a2674dbd6c336b0870c960e65c43a87e/detection/

Possible Misuse

The following table contains possible examples of movefile64.exe being misused. While movefile64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\movefile64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.