wlrmdr.exe

  • File Path: C:\Windows\system32\wlrmdr.exe
  • Description: Windows logon reminder

Hashes

Type Hash
MD5 EF9BBA7A637A11B224A90BF90A8943AC
SHA1 4747EC6EFD2D41E049159249C2D888189BB33D1D
SHA256 2FDA95AAFB2E9284C730BF912B93F60A75B151941ADC14445ED1E056140325B1
SHA384 A94D2D4294C6787317F796EE644B3E566670F74BC053D00EC80DF278146F2E6FA78BFEE174024932393D2FE5F59E0E94
SHA512 4C1FDB8E4BF25546A2A33C95268593746F5AE2666CE36C6D9BA5833357F13720C4722231224E82308AF8C156485A2C86FFD97E3093717A28D1300D3787EF1831
SSDEEP 1536:n4nL90P0RrGKB8zRUe6kqThzgyf8svqr9PxDt8erP/:2L90P0R2zRqtzhru9ZDt8er
IMP 0C029EF03BE0DFE4324558843609A28E
PESHA1 73C3557853BE95D8C547FD39B3105E99FAD64642
PE256 84F5419CDA6E4ABBC87B6D96263C4AA012A5D13ABB621ACBA8F55EB2BB28C945

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\wlrmdr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WLRMNDR.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\wlrmdr.exe 35
C:\Windows\system32\wlrmdr.exe 38
C:\Windows\system32\wlrmdr.exe 38
C:\WINDOWS\system32\wlrmdr.exe 46
C:\Windows\system32\wlrmdr.exe 35

Possible Misuse

The following table contains possible examples of wlrmdr.exe being misused. While wlrmdr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbin_wlrmdr.yml title: Wlrmdr Lolbin Use as Laucher DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute DRL 1.0
sigma proc_creation_win_lolbin_wlrmdr.yml Image\|endswith: wlrmdr.exe DRL 1.0
LOLBAS Wlrmdr.yml Name: Wlrmdr.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Wlrmdr.yml Usecase: Use wlrmdr as a proxy binary to evade defensive countermeasures  
LOLBAS Wlrmdr.yml - Path: c:\windows\system32\wlrmdr.exe  
LOLBAS Wlrmdr.yml - IOC: wlrmdr.exe spawning any new processes  

MIT License. Copyright (c) 2020-2021 Strontic.