fltMC.exe

  • File Path: C:\Windows\SysWOW64\fltMC.exe
  • Description: Filter Manager Control Program

Hashes

Type Hash
MD5 330E111C418797FC2E56F3F7E5FAAB9A
SHA1 F7405889D043C4A872C1246D16C4D006BD1405CC
SHA256 7E2A2A6D4ED446503A677A98EDB90CF12838B5764CE863AFDDAFB45F3B631597
SHA384 C81E702BB831269400A9374EF4B70C55DC41CAC20C2D959BC5E0624019CBDF654307E7CDE85E25C5F2390F49D779DFAD
SHA512 3B938BBF513BB8265214556BE9C28E2B0C8A66EB2DF3E4CDF90A3B79F113788CF35EC34FBF9F32F406EAAE42976F3B8A7B9CE0535CFDE2D625005E3D781A3B14
SSDEEP 384:EAMNUGvYUI9LwOnrnq0px6izavkJjjJ5X8cR29WY9WK6:EFI9LwOnrnq2oiOvk3+cR2Z
IMP 50932E942F8E6C207BD1C02FB974B27C
PESHA1 F04E8DE6AA584963E36DB68405B48825B60B58B4
PE256 53A55D4873B684D01AFA10A957763BB8FB4A7C3621A526F2F59E1148BF0C3968

Runtime Data

Usage (stdout):


** Invalid command
Valid commands:
    load        Loads a Filter driver
    unload      Unloads a Filter driver
    filters     Lists the Filters currently registered in the system
    instances   Lists the Instances for a Filter or Volume currently
                registered in the system
    volumes     Lists all volumes/RDRs in the system
    attach      Creates a Filter Instance to a Volume
    detach      Removes a Filter Instance from a Volume

    Use fltmc help [ command ] for help on a specific command

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\fltMC.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: fltMC.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/7e2a2a6d4ed446503a677a98edb90cf12838b5764ce863afddafb45f3b631597/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\fltMC.exe 93

Possible Misuse

The following table contains possible examples of fltMC.exe being misused. While fltMC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\fltMC.exe' DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - '\fltmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_driver_unload.yml Image\|endswith: '\fltmc.exe' DRL 1.0
LOLBAS FltMC.yml Name: fltMC.exe  
LOLBAS FltMC.yml - Command: fltMC.exe unload SysmonDrv  
LOLBAS FltMC.yml - Path: C:\Windows\System32\fltMC.exe  
LOLBAS FltMC.yml - IOC: 4688 events with fltMC.exe  
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\  
atomic-red-team T1518.001.md fltmc.exe | findstr.exe 385201 MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md fltmc.exe unload #{sysmon_driver} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.