ctfmon.exe

  • File Path: C:\windows\system32\ctfmon.exe
  • Description: CTF Loader

Hashes

Type Hash
MD5 9929D83891B1C86F4E12C0C90BD8632E
SHA1 49C15D9B347118E4CA30AE40551C41D07E6AD1AC
SHA256 035F9B76F8B5FEC3F645A5645257FF7E13D603A878648881AFFDB0E9DC989BC8
SHA384 C1ADBF14385AECF452D0CEEF74367EC4F60CE30E3E07E9623FFF610A3171BB24133D1FB37910AE4C4E8F9EB28817D607
SHA512 5B99BF15C5F36ED83670777E173CDB00FC10FB05F4EE0D14B59F30585F6B53E283E6EEAB251E71A4827D0674666AEEF65D4D9AE407335FAA0920590771D9893F
SSDEEP 96:4+IYPI5Y80MF1v2gSnW2Qd6BZTLjlsDqf17plruADJVpRKLwEWjgWwBed:oYPD9M+npBBZTSOf17plyIYWjgWj

Signature

  • Status: The file C:\windows\system32\ctfmon.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: CTFMON.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\ctfmon.exe 38
C:\Windows\system32\ctfmon.exe 38
C:\windows\SysWOW64\ctfmon.exe 36

Possible Misuse

The following table contains possible examples of ctfmon.exe being misused. While ctfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\ctfmon.exe' DRL 1.0
malware-ioc amavaldo \| 6C04499F7406E270B590374EF813C4012530273E \| ctfmon.exe \| Abused legitimate application \| Clean file \| © ESET 2014-2018
signature-base apt_four_element_sword.yar $s1 = “\System32\ctfmon.exe” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “%USERPROFILE%\AppData\Local\Temp\Low\ctfmon.log” fullword ascii /* PEStudio Blacklist: strings / / score: ‘43.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s1 = “%USERPROFILE%\AppData\Local\Temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s2 = “\temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.