Play interactive tourEdit tour

Analysis Report ctfmon.exe

Overview

General Information

Sample Name:ctfmon.exe
Analysis ID:411189
MD5:252dce576f9fbb9aaa7114dd7150f320
SHA1:c07f0a02c284b697dff119839f455836be39d10e
SHA256:b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
Infos:

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara detected NetSupport remote tool

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



  • System is w10x64
  • ctfmon.exe (PID: 6172 cmdline: 'C:\Users\user\Desktop\ctfmon.exe' -install MD5: 252DCE576F9FBB9AAA7114DD7150F320)
  • ctfmon.exe (PID: 6312 cmdline: 'C:\Users\user\Desktop\ctfmon.exe' /install MD5: 252DCE576F9FBB9AAA7114DD7150F320)
  • ctfmon.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\ctfmon.exe' /load MD5: 252DCE576F9FBB9AAA7114DD7150F320)
  • cleanup

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
ctfmon.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    SourceRuleDescriptionAuthorStrings
    00000003.00000002.230880021.00000000002A2000.00000004.00020000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      00000005.00000002.239446612.00000000002A2000.00000004.00020000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        00000000.00000002.222619681.00000000002A3000.00000002.00020000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          00000005.00000000.211766917.00000000002A2000.00000002.00020000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            00000003.00000000.206472272.00000000002A2000.00000002.00020000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              Click to see the 7 entries
              SourceRuleDescriptionAuthorStrings
              3.0.ctfmon.exe.2a0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                5.0.ctfmon.exe.2a0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  5.2.ctfmon.exe.2a0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0.0.ctfmon.exe.2a0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      0.2.ctfmon.exe.2a0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        Click to see the 1 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        There are no malicious signatures, click here to show all signatures.

                        Source: ctfmon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: ctfmon.exeStatic PE information: certificate valid
                        Source: ctfmon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: E:\nsmsrc\nsm\1280\1280\client32\release_unicode\client32.pdb source: ctfmon.exe
                        Source: ctfmon.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                        Source: ctfmon.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                        Source: ctfmon.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                        Source: ctfmon.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                        Source: ctfmon.exeString found in binary or memory: http://ocsp.sectigo.com0
                        Source: ctfmon.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                        Source: ctfmon.exeString found in binary or memory: http://s2.symcb.com0
                        Source: ctfmon.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
                        Source: ctfmon.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
                        Source: ctfmon.exeString found in binary or memory: http://sv.symcd.com0&
                        Source: ctfmon.exeString found in binary or memory: http://www.symauth.com/cps0(
                        Source: ctfmon.exeString found in binary or memory: http://www.symauth.com/rpa00
                        Source: ctfmon.exeString found in binary or memory: https://d.symcb.com/cps0%
                        Source: ctfmon.exeString found in binary or memory: https://d.symcb.com/rpa0
                        Source: ctfmon.exeString found in binary or memory: https://sectigo.com/CPS0B
                        Source: ctfmon.exeString found in binary or memory: https://sectigo.com/CPS0D
                        Source: ctfmon.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: ctfmon.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: ctfmon.exe, 00000000.00000002.222619681.00000000002A3000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameclient32.exe0 vs ctfmon.exe
                        Source: ctfmon.exe, 00000003.00000000.206472272.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameclient32.exe0 vs ctfmon.exe
                        Source: ctfmon.exe, 00000005.00000000.211766917.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameclient32.exe0 vs ctfmon.exe
                        Source: ctfmon.exeBinary or memory string: OriginalFilenameclient32.exe0 vs ctfmon.exe
                        Source: C:\Users\user\Desktop\ctfmon.exeSection loaded: pcicl32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ctfmon.exeSection loaded: pcicl32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ctfmon.exeSection loaded: pcicl32.dllJump to behavior
                        Source: ctfmon.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: classification engineClassification label: clean3.winEXE@3/0@0/0
                        Source: ctfmon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\ctfmon.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ctfmon.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                        Source: unknownProcess created: C:\Users\user\Desktop\ctfmon.exe 'C:\Users\user\Desktop\ctfmon.exe' -install
                        Source: unknownProcess created: C:\Users\user\Desktop\ctfmon.exe 'C:\Users\user\Desktop\ctfmon.exe' /install
                        Source: unknownProcess created: C:\Users\user\Desktop\ctfmon.exe 'C:\Users\user\Desktop\ctfmon.exe' /load
                        Source: ctfmon.exeStatic PE information: certificate valid
                        Source: ctfmon.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: ctfmon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: E:\nsmsrc\nsm\1280\1280\client32\release_unicode\client32.pdb source: ctfmon.exe
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1Process Injection1Process Injection1OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 process2 2 Behavior Graph ID: 411189 Sample: ctfmon.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 3 4 ctfmon.exe 2->4         started        6 ctfmon.exe 2->6         started        8 ctfmon.exe 2->8         started       

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand
                        SourceDetectionScannerLabelLink
                        ctfmon.exe6%VirustotalBrowse
                        ctfmon.exe0%MetadefenderBrowse
                        ctfmon.exe14%ReversingLabsWin32.Trojan.NetSupportManager
                        No Antivirus matches
                        No Antivirus matches
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                        http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
                        http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
                        http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
                        http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        https://sectigo.com/CPS0B0%URL Reputationsafe
                        https://sectigo.com/CPS0B0%URL Reputationsafe
                        https://sectigo.com/CPS0B0%URL Reputationsafe
                        https://sectigo.com/CPS0B0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
                        http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
                        https://sectigo.com/CPS0D0%URL Reputationsafe
                        https://sectigo.com/CPS0D0%URL Reputationsafe
                        https://sectigo.com/CPS0D0%URL Reputationsafe
                        https://sectigo.com/CPS0D0%URL Reputationsafe
                        No contacted domains info
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tctfmon.exefalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rctfmon.exefalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://ocsp.sectigo.com0ctfmon.exefalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.symauth.com/cps0(ctfmon.exefalse
                          high
                          http://www.symauth.com/rpa00ctfmon.exefalse
                            high
                            https://sectigo.com/CPS0Bctfmon.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#ctfmon.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#ctfmon.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://sectigo.com/CPS0Dctfmon.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:411189
                            Start date:11.05.2021
                            Start time:17:45:20
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 4m 27s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:ctfmon.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Run name:Cmdline fuzzy
                            Number of analysed new started processes analysed:29
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:CLEAN
                            Classification:clean3.winEXE@3/0@0/0
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 100% (good quality ratio 100%)
                            • Quality average: 75%
                            • Quality standard deviation: 25%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 1
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            • Execution Graph export aborted for target ctfmon.exe, PID 6172 because there are no executed function
                            No simulations
                            No context
                            No context
                            No context
                            No context
                            No context
                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):4.950187105195601
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:ctfmon.exe
                            File size:112176
                            MD5:252dce576f9fbb9aaa7114dd7150f320
                            SHA1:c07f0a02c284b697dff119839f455836be39d10e
                            SHA256:b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
                            SHA512:17255a8255b152edf896b4eb1719a2c52dbfed38887aa79b02fe54fcefca45c5089ed6340b8251fea1cf031b7c016328bd88741a066fa138ca7b722cf970b06b
                            SSDEEP:768:c5VZl6FhWr80/0fyXt/cfdtVJvriXiRzi:c90hG8f8dcFPVWXiI
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.g.W.g.W.g.^...U.g.8...T.g.W.f.R.g.8...V.g.8...V.g.8...V.g.RichW.g.........PE..L......^.....................r...... ......

                            File Icon

                            Icon Hash:050d124130a1c151

                            General

                            Entrypoint:0x401020
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x5E2EEEBC [Mon Jan 27 14:07:56 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:a9d50692e95b79723f3e76fcf70d023e
                            Signature Valid:true
                            Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
                            Signature Validation Error:The operation completed successfully
                            Error Number:0
                            Not Before, Not After
                            • 9/14/2017 5:00:00 PM 9/22/2020 4:59:59 PM
                            Subject Chain
                            • CN=NetSupport Ltd, O=NetSupport Ltd, L=Peterborough, S=Cambridgeshire, C=GB
                            Version:3
                            Thumbprint MD5:3D34EA0E8E4C65FC7C8599BE3ACDE072
                            Thumbprint SHA-1:F84EC9488BDAC5F90DB3C474B55E31A8F10A2026
                            Thumbprint SHA-256:FCD6A7E626908DC8E5D3CE6FC9350EC099C42FB1AD1231A75208B54754985089
                            Serial:79906FAF4FBD75BAA10B322356A07F6D
                            Instruction
                            push ebp
                            mov ebp, esp
                            sub esp, 44h
                            push esi
                            call dword ptr [00402000h]
                            mov esi, eax
                            cmp word ptr [esi], 0022h
                            jne 00007FFAC49C581Dh
                            movzx eax, word ptr [esi+02h]
                            add esi, 02h
                            test ax, ax
                            je 00007FFAC49C57B4h
                            cmp ax, 0022h
                            je 00007FFAC49C57B4h
                            movzx eax, word ptr [esi+02h]
                            add esi, 02h
                            test ax, ax
                            jne 00007FFAC49C5790h
                            cmp word ptr [esi], 0022h
                            jne 00007FFAC49C57A5h
                            add esi, 02h
                            movzx eax, word ptr [esi]
                            test ax, ax
                            je 00007FFAC49C57B4h
                            cmp ax, 0020h
                            jnbe 00007FFAC49C57AEh
                            movzx eax, word ptr [esi+02h]
                            add esi, 02h
                            test ax, ax
                            jne 00007FFAC49C5790h
                            lea eax, dword ptr [ebp-44h]
                            push eax
                            mov dword ptr [ebp-18h], 00000000h
                            call dword ptr [0040200Ch]
                            test byte ptr [ebp-18h], 00000001h
                            movzx eax, word ptr [ebp-14h]
                            jne 00007FFAC49C57A7h
                            mov eax, 0000000Ah
                            push eax
                            push esi
                            push 00000000h
                            push 00000000h
                            call dword ptr [00402008h]
                            push eax
                            call 00007FFAC49C56FDh
                            push eax
                            call dword ptr [00402004h]
                            nop
                            cmp word ptr [esi], 0020h
                            jbe 00007FFAC49C5748h
                            add esi, 02h
                            jmp 00007FFAC49C5797h
                            int3
                            jmp dword ptr [00402014h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [IMP] VS2010 build 30319
                            • [RES] VS2010 build 30319
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x30000x16c08.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x178000x3e30
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000x14.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x20200x1c.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x1c.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xc20x200False0.318359375data2.77998506607IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rdata0x20000x15e0x200False0.46484375data3.50726381565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x30000x16c080x16e00False0.106034409153data4.13266450046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1a0000x6c0x200False0.060546875data0.221676205458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x32c80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x3b700x568GLS_BINARY_LSB_FIRST
                            RT_ICON0x40d80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4281761986, next used block 4281761986
                            RT_ICON0x149000x25a8data
                            RT_ICON0x16ea80x10a8data
                            RT_ICON0x17f500x988data
                            RT_ICON0x188d80x6b8data
                            RT_ICON0x18f900x468GLS_BINARY_LSB_FIRST
                            RT_STRING0x193f80x62data
                            RT_GROUP_ICON0x1945c0x76data
                            RT_VERSION0x194d40x3acdata
                            RT_MANIFEST0x198800x385XML 1.0 document, ASCII text, with CRLF line terminators
                            DLLImport
                            PCICL32.dll_NSMClient32@8
                            KERNEL32.dllGetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW
                            DescriptionData
                            LegalCopyrightCopyright (c) 2020, NetSupport Ltd
                            InternalNameclient32
                            FileVersionV12.80
                            CompanyNameNetSupport Ltd
                            PrivateBuildV12.80
                            LegalTrademarks
                            Comments
                            ProductNameNetSupport Remote Control
                            SpecialBuild
                            ProductVersionV12.80
                            FileDescriptionNetSupport Client Application
                            OriginalFilenameclient32.exe
                            Translation0x0809 0x04b0

                            Network Behavior

                            No network behavior found

                            Code Manipulations

                            Statistics

                            CPU Usage

                            050100s020406080100

                            Click to jump to process

                            Memory Usage

                            050100s0.0012MB

                            Click to jump to process

                            Behavior

                            Click to jump to process

                            System Behavior

                            Start time:17:47:04
                            Start date:11/05/2021
                            Path:C:\Users\user\Desktop\ctfmon.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\ctfmon.exe' -install
                            Imagebase:0x2a0000
                            File size:112176 bytes
                            MD5 hash:252DCE576F9FBB9AAA7114DD7150F320
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000002.222619681.00000000002A3000.00000002.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000002.222615765.00000000002A2000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000000.201131977.00000000002A2000.00000002.00020000.sdmp, Author: Joe Security
                            Reputation:low
                            Start time:17:47:07
                            Start date:11/05/2021
                            Path:C:\Users\user\Desktop\ctfmon.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\ctfmon.exe' /install
                            Imagebase:0x2a0000
                            File size:112176 bytes
                            MD5 hash:252DCE576F9FBB9AAA7114DD7150F320
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.230880021.00000000002A2000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000000.206472272.00000000002A2000.00000002.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.230884930.00000000002A3000.00000002.00020000.sdmp, Author: Joe Security
                            Reputation:low
                            Start time:17:47:09
                            Start date:11/05/2021
                            Path:C:\Users\user\Desktop\ctfmon.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\ctfmon.exe' /load
                            Imagebase:0x2a0000
                            File size:112176 bytes
                            MD5 hash:252DCE576F9FBB9AAA7114DD7150F320
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.239446612.00000000002A2000.00000004.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.211766917.00000000002A2000.00000002.00020000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.239455495.00000000002A3000.00000002.00020000.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Executed Functions

                            Non-executed Functions

                            C-Code - Quality: 100%
                            			_entry_() {
                            				struct _STARTUPINFOW _v72;
                            				signed int _t11;
                            				signed int _t13;
                            				signed int _t16;
                            				signed short* _t17;
                            
                            				_t17 = GetCommandLineW();
                            				if( *_t17 != 0x22) {
                            					while( *_t17 > 0x20) {
                            						_t17 =  &(_t17[1]);
                            					}
                            					L6:
                            					_t11 =  *_t17 & 0x0000ffff;
                            					if(_t11 == 0) {
                            						L9:
                            						_v72.dwFlags = 0;
                            						GetStartupInfoW( &_v72);
                            						_t13 = _v72.wShowWindow & 0x0000ffff;
                            						if((_v72.dwFlags & 0x00000001) == 0) {
                            							_t13 = 0xa;
                            						}
                            						ExitProcess(E002A1000(GetModuleHandleW(0), 0, _t17, _t13));
                            					}
                            					while(_t11 <= 0x20) {
                            						_t11 = _t17[1] & 0x0000ffff;
                            						_t17 =  &(_t17[1]);
                            						if(_t11 != 0) {
                            							continue;
                            						}
                            						goto L9;
                            					}
                            					goto L9;
                            				}
                            				_t16 = _t17[1] & 0x0000ffff;
                            				_t17 =  &(_t17[1]);
                            				if(_t16 == 0) {
                            					L4:
                            					if( *_t17 != 0x22) {
                            						goto L6;
                            					}
                            					L5:
                            					_t17 =  &(_t17[1]);
                            					goto L6;
                            				}
                            				while(_t16 != 0x22) {
                            					_t16 = _t17[1] & 0x0000ffff;
                            					_t17 =  &(_t17[1]);
                            					if(_t16 != 0) {
                            						continue;
                            					}
                            					goto L4;
                            				}
                            				goto L5;
                            			}








                            0x002a102d
                            0x002a1033
                            0x002a10b0
                            0x002a10b6
                            0x002a10b6
                            0x002a105c
                            0x002a105c
                            0x002a1062
                            0x002a1076
                            0x002a107a
                            0x002a1081
                            0x002a108b
                            0x002a108f
                            0x002a1091
                            0x002a1091
                            0x002a10a9
                            0x002a10a9
                            0x002a1064
                            0x002a106a
                            0x002a106e
                            0x002a1074
                            0x00000000
                            0x00000000
                            0x00000000
                            0x002a1074
                            0x00000000
                            0x002a1064
                            0x002a1035
                            0x002a1039
                            0x002a103f
                            0x002a1053
                            0x002a1057
                            0x00000000
                            0x00000000
                            0x002a1059
                            0x002a1059
                            0x00000000
                            0x002a1059
                            0x002a1041
                            0x002a1047
                            0x002a104b
                            0x002a1051
                            0x00000000
                            0x00000000
                            0x00000000
                            0x002a1051
                            0x00000000

                            APIs
                            • GetCommandLineW.KERNEL32 ref: 002A1027
                            • GetStartupInfoW.KERNEL32(?), ref: 002A1081
                            • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 002A109C
                            • ExitProcess.KERNEL32 ref: 002A10A9
                            Memory Dump Source
                            • Source File: 00000000.00000002.222612189.00000000002A1000.00000020.00020000.sdmp, Offset: 002A0000, based on PE: true
                            • Associated: 00000000.00000002.222607921.00000000002A0000.00000002.00020000.sdmp Download File
                            • Associated: 00000000.00000002.222615765.00000000002A2000.00000004.00020000.sdmp Download File
                            • Associated: 00000000.00000002.222619681.00000000002A3000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2a0000_ctfmon.jbxd
                            Yara matches
                            Similarity
                            • API ID: CommandExitHandleInfoLineModuleProcessStartup
                            • String ID:
                            • API String ID: 2164999147-0
                            • Opcode ID: 8c2f2cba682862c610695891984b44a34eee2a1926e26daecd628915fc7cfc1b
                            • Instruction ID: 46e0c76be463121314f0c9caaf31abe9116a9e56c4bd9af8ef8ca69b97d0ec64
                            • Opcode Fuzzy Hash: 8c2f2cba682862c610695891984b44a34eee2a1926e26daecd628915fc7cfc1b
                            • Instruction Fuzzy Hash: FC01C469C243B2D7DB302F94980937B76B4AF223A1F118015ED8AA3181FF644CF5C2A5
                            Uniqueness

                            Uniqueness Score: -1.00%