ctfmon.exe

  • File Path: C:\WINDOWS\system32\ctfmon.exe
  • Description: CTF Loader

Hashes

Type Hash
MD5 A1F2CF496F181AA75352E102978E60D0
SHA1 8DA2EF2451967458DBD96D1C8ADF78E774E03470
SHA256 A0DF21D82DAA60F8181589F4CE96441891B6E13716F353E9D71C8B303CF398D2
SHA384 FCEABEC390CD7CDFE843073283F0A68602FF047E57F434A0E1C09506DEF7BB658CF90B61DB54F903C481A23C7FEA0180
SHA512 FED81DFAA17BEFE6A6079324EFB4D170C4BAA9F54C84096A2741CC296F65577902CC1B623E033DB14911F284FF346216D290ED327469AC2F85C72297F4451AD8
SSDEEP 192:EQJ1V2Llzc5pjq0N3h37iJ47cq6D7JiFC8WAgW:PHKlQXqw3h3mKAqgYvWAgW

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CTFMON.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ctfmon.exe 60

Possible Misuse

The following table contains possible examples of ctfmon.exe being misused. While ctfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\ctfmon.exe' DRL 1.0
malware-ioc amavaldo \| 6C04499F7406E270B590374EF813C4012530273E \| ctfmon.exe \| Abused legitimate application \| Clean file \| © ESET 2014-2018
signature-base apt_four_element_sword.yar $s1 = “\System32\ctfmon.exe” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “%USERPROFILE%\AppData\Local\Temp\Low\ctfmon.log” fullword ascii /* PEStudio Blacklist: strings / / score: ‘43.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s1 = “%USERPROFILE%\AppData\Local\Temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s2 = “\temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.