wlrmdr.exe

  • File Path: C:\WINDOWS\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 A6F7BB4E57150E73A60FEB3C0DE8AF7A
SHA1 2189A584884301D9F9F627E0521137777D5ECCE2
SHA256 AFD7A491842A8C8685D6B07A7AB915C3DCF9B6C157485C143ED0D0EC81C71C58
SHA384 4F4C846A70683F67EE75437073CDBC419DF7EF3CBDF283107B31802C467F71FC2E457922C3ED7624597803AF35BD1CDF
SHA512 948A1AEAFF9606F8A98973E8E31FD25377A63D8C06F1CB8B37883F6EAF03790577D9DFE2631D6D0E81D0455C44C409CDF021F0F5820149D891F9BAC7FD2F0133
SSDEEP 1536:xD4X02Ldm8340UVhJvNysbsvqr9PxDtrrP7:t2LdmC4dJvkxu9ZDtrrj

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\wlrmdr.exe 44
C:\Windows\system32\wlrmdr.exe 44
C:\Windows\system32\wlrmdr.exe 36
C:\Windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 46

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.