wlrmdr.exe

  • File Path: C:\Windows\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 E18544710300FA84B16E556D8915EC6C
SHA1 191AA2AB2640DBEF142D1F46870B43C141A74E98
SHA256 6A90BB51F5F54BF1CC66D95D078E119C74FBF6FCEB69C1301D65E25F03E596F0
SHA384 F964E3B4C6861EBFCF0168B03517955A5D4C5484147A364053B90C86C97B7FE78D5A262BA9070D71F684ACAFB5FA5739
SHA512 A94754E47D75EC9D06283BF175FA503BB2C3B952C947F2B1BB90B7BCF6B05CF20FE9ACD1C25E6756F339F406B8B463FE0A50908F2D1D632A0ECA90CF49A8F133
SSDEEP 1536:jq4T59iOiNz2Sw31dzLQKYq96insvqr9PxDtYcPRdrI:z4O0zGH/QKY86fu9ZDtYcJdrI

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 33
C:\Windows\system32\wlrmdr.exe 33
C:\WINDOWS\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 35

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.