pendmoves64.exe

  • File Path: C:\SysinternalsSuite\pendmoves64.exe
  • Description: Lists pending delayed movefile operations

Hashes

Type Hash
MD5 287563A3DCC9BBF15700E4423F6281EB
SHA1 A5F96D925B4231C8038CC0EE84F62D153B6290B0
SHA256 3E7B1FCD9E8C0CCA2BFC1140A8CEAA1E319487AC1F466EAB01648443B80D9108
SHA384 90C390032C684FE6ACD1B83D08F29C7548EDD37A58E6F6F0901AA8047D3A2F35F999C41E03BE40564123FEE2EAEFF90C
SHA512 CCB0F4453CABBA2453D2D413A573A858F4AD08223465BDBD3B18B800BD5B4A44C8A906EA52E24F786CADFC43327258144B99BD4FA0A5A19BE4960AB19B5DDDA9
SSDEEP 12288:fJ6+96YEAANpbVuroJF4ujNCg004eIW24HB:x69YzANpbVuroJF46NCg08
IMP 5FA6F9B4FEDBB87894233EDF8F593AF2
PESHA1 E78EC769DFD85D70B3A55FF353CAC9EE24C29A32
PE256 31F031880B9D6472044B5380C092CDA7C3BF421B34E8E0B105365E820F559541

Runtime Data

Usage (stdout):


PendMoves v1.3 - Lists pending delayed movefile operations
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\SysinternalsSuite\ADInsightDll64.dll
   *** Source file lookup error: Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsight64.EXE
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\SysinternalsSuite\ADInsightDll64.dll
   *** Source file lookup error: Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\SysinternalsSuite\ADInsightDll64.dll
   *** Source file lookup error: Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\SysinternalsSuite\ADInsightDll64.dll
   *** Source file lookup error: Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Source: C:\SysinternalsSuite\ADInsightDll64.dll
   *** Source file lookup error: Target: DELETE

Source: C:\Users\user\AppData\Local\Temp\ADInsightDll64.dll
Target: DELETE

Time of last update to pending moves key: 9/25/2020 8:30 AM


Loaded Modules:

Path
C:\SysinternalsSuite\pendmoves64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000187721772155940C709000000000187
  • Thumbprint: 2485A7AFA98E178CB8F30C9838346B514AEA4769
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: pendmoves.exe
  • Product Name: Sysinternals Pendmoves
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.3
  • Product Version: 1.3
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2004-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/3e7b1fcd9e8c0cca2bfc1140a8ceaa1e319487ac1f466eab01648443b80d9108/detection/

Possible Misuse

The following table contains possible examples of pendmoves64.exe being misused. While pendmoves64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\pendmoves64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.