wlrmdr.exe

  • File Path: C:\Windows\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 3B4132776636F37787317DA4E0A75ED3
SHA1 6C7FDD7A10B051889771F087AB1596A521A2820C
SHA256 4C13CCD996D58673BEC9FA19B1F06B8CA1D6823307B76C5A2A79799F1073BF64
SHA384 DADD6EF5E36A29C773989F7797692295E23E11AB5194A94BF57891AD3B87894923D5B756B11ED459D15A25AE789ECF27
SHA512 E2E2F9C5FCFE5AD99C3B0C69E9BFAC5D4FE54009C7137D39200C4567FEF91ECEBD05D780F3C4C0522CDDD32A35FCD9AD476EE837882A62E67168EC168E74B79A
SSDEEP 1536:Y4gMLrY6x6g+d5cKswSjhbTvXylmAbsvqr9PxDtESpPTo:1rY6YxdsrvClEu9ZDtE6E
IMP 0C029EF03BE0DFE4324558843609A28E
PESHA1 D5D5A69D3C1F0BB0B32E96431D0148AAFC16AEEC
PE256 AC249FA332512ACB2579D2633A454E9F0CB2316FA484B08441D27BDC5055657D

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/4c13ccd996d58673bec9fa19b1f06b8ca1d6823307b76c5a2a79799f1073bf64/detection/

File Similarity (ssdeep match)

File Score
C:\windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 38
C:\WINDOWS\system32\wlrmdr.exe 44
C:\Windows\system32\wlrmdr.exe 33
C:\Windows\system32\wlrmdr.exe 38

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.