ctfmon.exe

  • File Path: C:\WINDOWS\SysWOW64\ctfmon.exe
  • Description: CTF Loader

Hashes

Type Hash
MD5 82FEE2FD4957DD49F911D12C082AA49C
SHA1 DCB90F0018350B91AD13FE3F1D3BD604DBFB5668
SHA256 30D7F3C7386C36C622F61FBE4EB51E8974F4AB3500C4B83291A19A120EE4FAD6
SHA384 2563414C916C8A7448592444741E1726E90351AB3A9CD5A537452C26DB069E66C5A21DDD82600A652216A6289BBF91AF
SHA512 04093E3A85A183F2BFB70012094AB2346E634C66A6FDE0247B0AA6E29E33D09FE3B0654212A06F951557D555D8361EEBAEBAA43422E02E4E75B16E3ECD7E5D36
SSDEEP 96:c2aVc3qYH8QPQrQAR2M2Z42DWzojcx1qmSxY6yw1KDJ7pRKRdaLEWKgWwjebyH5:0S6YHNsb7oXxY6yw1kSWKgW+Z
IMP A0DF2CAE30CD48F978A8D80039C738E5
PESHA1 11C1E001016CDD74493931B419D68BE2EF7A1772
PE256 A7D8EA019C1833EE9CB7F937320BF3871F9D810D7D550A705F56954AFC73F42E

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CTFMON.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/30d7f3c7386c36c622f61fbe4eb51e8974f4ab3500c4b83291a19a120ee4fad6/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\ctfmon.exe 38
C:\Windows\SysWOW64\ctfmon.exe 36
C:\Windows\SysWOW64\ctfmon.exe 33
C:\Windows\SysWOW64\ctfmon.exe 40
C:\windows\SysWOW64\ctfmon.exe 33
C:\WINDOWS\SysWOW64\ctfmon.exe 35

Possible Misuse

The following table contains possible examples of ctfmon.exe being misused. While ctfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\ctfmon.exe' DRL 1.0
malware-ioc amavaldo \| 6C04499F7406E270B590374EF813C4012530273E \| ctfmon.exe \| Abused legitimate application \| Clean file \| © ESET 2014-2018
signature-base apt_four_element_sword.yar $s1 = “\System32\ctfmon.exe” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “%USERPROFILE%\AppData\Local\Temp\Low\ctfmon.log” fullword ascii /* PEStudio Blacklist: strings / / score: ‘43.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s1 = “%USERPROFILE%\AppData\Local\Temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s2 = “\temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.