ctfmon.exe

  • File Path: C:\windows\SysWOW64\ctfmon.exe
  • Description: CTF Loader

Hashes

Type Hash
MD5 BE80808B5FE1D9C9351653EEC814A75A
SHA1 9C3E75F34FEC80660A754AFF4D213810A2753D66
SHA256 35FD9608D1147D191D8689AC10E75934BA93DFE54C1432545BC8A10CB20CF72B
SHA384 12FBDFB1E2098B0EB9087083E2DF7EA45A215B1903111088BEB400048211DA5EA0784481496B614785CBAEF58B22B633
SHA512 72347A8158C02293DD4116D9E97D412FEF6DAD8065A3B7CDDA28B12152E6DD48964E72F38C6DD0A2AB6323DBCC6013C9CEA0B721628C2FF9C65899B2E7FCA625
SSDEEP 96:DgO1mX9sT2QoiIpSDWPT4ulTHgpx2G/T/WDkVOBAiJUw0FhDJ7pRKRQEWjgWwBej:DP1mXSqJT5sLWoVOBAi10FnaWjgW

Signature

  • Status: The file C:\windows\SysWOW64\ctfmon.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: CTFMON.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\ctfmon.exe 36
C:\Windows\SysWOW64\ctfmon.exe 36
C:\Windows\SysWOW64\ctfmon.exe 46
C:\WINDOWS\SysWOW64\ctfmon.exe 33
C:\Windows\SysWOW64\ctfmon.exe 36
C:\WINDOWS\SysWOW64\ctfmon.exe 33

Possible Misuse

The following table contains possible examples of ctfmon.exe being misused. While ctfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\WINDOWS\system32\ctfmon.exe' DRL 1.0
malware-ioc amavaldo \| 6C04499F7406E270B590374EF813C4012530273E \| ctfmon.exe \| Abused legitimate application \| Clean file \| © ESET 2014-2018
signature-base apt_four_element_sword.yar $s1 = “\System32\ctfmon.exe” fullword ascii CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “%USERPROFILE%\AppData\Local\Temp\Low\ctfmon.log” fullword ascii /* PEStudio Blacklist: strings / / score: ‘43.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s1 = “%USERPROFILE%\AppData\Local\Temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.015’ */ CC BY-NC 4.0
signature-base apt_poisonivy.yar $s2 = “\temp\ctfmon.tmp” fullword ascii /* PEStudio Blacklist: strings / / score: ‘28.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.