wlrmdr.exe

  • File Path: C:\Windows\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 82404475E1FFEEDBFA1758197858C432
SHA1 AB64C7001894B6C5FAB926596D0E2536BB547BE8
SHA256 876E04F2C6F953C80EDF173DFB2EB950257AABE5603ABC2EA43EAC0229A553A3
SHA384 12E1E812951521411E63B00A0E4CD2247E4A3FC3097FB8C5A9BF050C2BEAC0E61549302BDE28A9713BD3ADC11ABD97F9
SHA512 38F55778FDC19397FAB21D4879C8B810586B64508BE64BA4189866AA8B3C663E54824562132862AA88274C89C706B1D27FE57B726830E26C55AC590BD691B18B
SSDEEP 1536:s4/jyj91lFbMs/ukWlxZyE8svqr9PxDtykPmvX:7jyj9WoWlxgGu9ZDtyk+vX
IMP 0C029EF03BE0DFE4324558843609A28E
PESHA1 1E053F812333C35A5BC350198438F15257689F1D
PE256 97B81982E5C01B4B94464D482826990A11EC86759DEC0483AF892F6AD5AFF762

Runtime Data

Child Processes:

explorer.exe

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\wlrmdr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/876e04f2c6f953c80edf173dfb2eb950257aabe5603abc2ea43eac0229a553a3/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\wlrmdr.exe 40
C:\Windows\system32\wlrmdr.exe 38
C:\WINDOWS\system32\wlrmdr.exe 36
C:\Windows\system32\wlrmdr.exe 33
C:\Windows\system32\wlrmdr.exe 38

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.