replace
Replaces (copies) files from a source to a destination directory. Can be used to stage payloads by copying files into target directories.
Binary Paths
C:\Windows\System32\replace.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where replac*.exe') do %i C:\source\payload.exe C:\dest\
|
replac* uniquely matches replace.exe — rep*.exe is too broad (also hits repair-bde.exe) |
for /f %i in ('where r?place.exe') do %i C:\source\payload.exe C:\dest\
|
Single char wildcard replaces 'e' |
for /f %i in ('where replac?.exe') do %i C:\source\payload.exe C:\dest\
|
Single char wildcard replaces last char 'e' |
for /f %i in ('dir /b C:\Windows\System32\replac*.exe') do %i C:\src\p.exe C:\dst\
|
dir /b in System32 with replac* — avoids also matching repair-bde.exe |
forfiles /p C:\Windows\System32 /m replac*.exe /c "@file C:\source\p.exe C:\dest\"
|
forfiles replac* mask uniquely matches replace.exe in System32 |
C:\Windows\System32\replace.exe C:\source\payload.exe C:\dest\ /a
|
Direct invocation — /a adds files that don't already exist in destination |
for %i in (C:\Windows\System32\replac*.exe) do @%i C:\source\payload.exe C:\dest\
|
Native CMD for loop with filesystem glob — replac* uniquely matches replace.exe, avoiding repair-bde.exe |
for /f %i in ('where /r C:\Windows\System32 replac*.exe') do %i C:\source\payload.exe C:\dest\
|
Recursive where search scoped to System32 — replac* uniquely matches replace.exe without hitting repair-bde.exe |
Pattern Tester
$
Try typing replace or a full path like C:\Windows\System32\replace.exe
YARA Rule
Auto-generated detection rule for replace
Platform Notes
replace.exe copies files from a source to a destination directory (not filename-to-filename). The /a flag adds files that are not already present. It is rarely monitored as a file-transfer utility. In batch scripts use %%i instead of %i.