wlrmdr.exe

  • File Path: C:\WINDOWS\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 2B25BE754CE18DF2D87FEE3A357B84E8
SHA1 6C8FBDFDB0C2EFB65584975F8E5A5F84651AC32F
SHA256 354B7B5F6D13BAD37A062F3CE47D84A45EFEDA243813CD8BBCB8650D313E3EE4
SHA384 931D209B5F676396F25067953BABB405305AAC9CE287C2480D0941328EF9789945449E8C1102D28DA34E0C709E5C4C8F
SHA512 A5BE6BE2AB1CB8F241FBC5710CCD5B756FFAE15D02075BDAC349766B2CF012E195F04B760D95AF2A7A0198628A5444B9FA615BAE2D04ED3E3CF0629021612D51
SSDEEP 3072:d3uKjpPv7bpRLFHxIDZ2a2yQ7dr8/EDD93ZaaJsquns3rFbq8u9ZDtxip:demRv7bpRL1xIDZ2/yQ7drcEDD93Zaaz
IMP 9D82A3BB32D3E430022F6E7888A78721
PESHA1 8F1E805886C8BD754EC1A3462AE55097B8DD19F1
PE256 A1DA6AB3B05BF343A62D4316766C4B2EEB534B87986BF0EEB605389AFBF6E15E

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wlrmdr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/354b7b5f6d13bad37a062f3ce47d84a45efeda243813cd8bbcb8650d313e3ee4/detection

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.