ctfmon.exe

  • File Path: C:\Windows\SysWOW64\ctfmon.exe
  • Description: CTF Loader

Hashes

Type Hash
MD5 97D7FF9EED95ADF3785F2D0219EEED46
SHA1 C5DED3D1979BA5CB731C7ED003AC0C8172575A8E
SHA256 81CA60464F7E079A3F3411968CFEA5EADE8085A5B96EF46621E07319DC404F1E
SHA384 1B342B7CECDAEF8FFD6BF066FE79E4B44D40E671835EDFB3C2E3482FA35F9F3A42F8CAC56F79C243CDB043EC3D519A24
SHA512 5F2EB7F50709AE0576D471B55B14428B78DE0394A05E8B695BD20E38585FB658A72E0E85E146054FAE0368695A4FBED64A096254716E3737B28F9AA549EA48F9
SSDEEP 96:2E7+2I1ySDnEtAp2RLZHDGjoaS2Hy9osw2mpDJ7pRKRULEW2gWw3epu4:7Itn598ey9osw2m/yW2gWF
IMP A0DF2CAE30CD48F978A8D80039C738E5
PESHA1 D9E57C0E8EBC5CF8AE904884BAF3227FD1642A61
PE256 735A04890A6CA9B619F2019A209B4DD57646D60D8F9D263277AC7B79D648FD0B

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CTFMON.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/81ca60464f7e079a3f3411968cfea5eade8085a5b96ef46621e07319dc404f1e/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ctfmon.exe 52
C:\Windows\SysWOW64\ctfmon.exe 36
C:\WINDOWS\SysWOW64\ctfmon.exe 40
C:\windows\SysWOW64\ctfmon.exe 36
C:\WINDOWS\SysWOW64\ctfmon.exe 61

Possible Misuse

The following table contains possible examples of ctfmon.exe being misused. While ctfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\ctfmon.exe' DRL 1.0
malware-ioc amavaldo \| 6C04499F7406E270B590374EF813C4012530273E \| ctfmon.exe \| Abused legitimate application \| Clean file \| © ESET 2014-2018
signature-base apt_four_element_sword.yar $s1 = “\System32\ctfmon.exe” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “%USERPROFILE%\AppData\Local\Temp\Low\ctfmon.log” fullword ascii /* PEStudio Blacklist: strings / / score: ‘43.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s1 = “%USERPROFILE%\AppData\Local\Temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s2 = “\temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.