wlrmdr.exe

  • File Path: C:\windows\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 04446BA6D8ECEF7BCF4652A71E2F3F84
SHA1 ADB9A5D3C1075116F8262C4F61E6048AC9B06D93
SHA256 C27CCB3657D83E9E0CB329807C1AB66D02E49A90230EF711D8348562B6F2486D
SHA384 EBCE14997320DC7241B52C0BB947DEF9174EB8BE24EAC6B5CB5A3CD3A22C0B02020CE0613849F180349EAAE28CB4A016
SHA512 34C65BF15C497A4AFFA0F60142480AEA21A42ED7C01A1DE0D2B154E64877865AB1B534D529186463708FEB10034816F377CC508F9918FE7CC0D427EDB6801051
SSDEEP 1536:fFRf7KYuotxM8NMrVJ9svqr9PxDtViPx7e:nuY5CHrV8u9ZDtVi0

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 40
C:\WINDOWS\system32\wlrmdr.exe 44
C:\Windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 35

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.