It's possible to delete file and spoof deleted with new copy by direct call to ZwDeleteFile() API.
vulners.com/securityvulns/securityvulns:doc:14713