fltMC.exe
- File Path:
C:\Windows\SysWOW64\fltMC.exe - Description: Filter Manager Control Program
Hashes
| Type | Hash |
|---|---|
| MD5 | 8A973456D8B1CDE50EC102A01A61E788 |
| SHA1 | 66CEE9CF45573F90601822E8325789D404698736 |
| SHA256 | 7C0B13D17FAB5EA169B9C637C604B71503F86728C03D27C1AB81A18F8CAAE391 |
| SHA384 | 45540126942C2D10818C604E36E5E5A332F60111366038C8062D75E89F6C407A3063668211DAA60D5F093B2F0B0A5208 |
| SHA512 | 0676E49002210A879FA9FD8090BD48C7C6818668A5DB23B90356314333AB63AF332CBBF9CBDE3F8144EDDD5C1752AA7AFF2F939B07A157C2BE3420A597A47A37 |
| SSDEEP | 384:WM+7nj57cY3SIBbSySM/aRgoW1xup8czUUE6XfIR2lWT9Wp:KnN3SIBbSySM/aRgdMNgmIR2G |
| IMP | 8C8C09D4509B63B5CE0F14A2DD512C04 |
| PESHA1 | CF9F4D1D68B516E00AF7C24C91F41F8629693E4F |
| PE256 | 132FBFE8637A117B314AFAD086EF2358DB2CFE1C45E98FB1871173173C3F7EE7 |
Runtime Data
Usage (stdout):
** Invalid command
Valid commands:
load Loads a Filter driver
unload Unloads a Filter driver
filters Lists the Filters currently registered in the system
instances Lists the Instances for a Filter or Volume currently
registered in the system
volumes Lists all volumes/RDRs in the system
attach Creates a Filter Instance to a Volume
detach Removes a Filter Instance from a Volume
Use fltmc help [ command ] for help on a specific command
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: fltMC.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/7c0b13d17fab5ea169b9c637c604b71503f86728c03d27c1ab81a18f8caae391/detection/
Possible Misuse
The following table contains possible examples of fltMC.exe being misused. While fltMC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_user_driver_loaded.yml | - '\Windows\System32\fltMC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | - '\fltmc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_sysmon_driver_unload.yml | Image\|endswith: '\fltmc.exe' |
DRL 1.0 |
| LOLBAS | FltMC.yml | Name: fltMC.exe |
|
| LOLBAS | FltMC.yml | - Command: fltMC.exe unload SysmonDrv |
|
| LOLBAS | FltMC.yml | - Path: C:\Windows\System32\fltMC.exe |
|
| LOLBAS | FltMC.yml | - IOC: 4688 events with fltMC.exe |
|
| LOLBAS | Stordiag.yml | Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. |
|
| LOLBAS | Stordiag.yml | - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\ |
|
| atomic-red-team | T1518.001.md | fltmc.exe | findstr.exe 385201 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | fltmc.exe unload #{sysmon_driver} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.