🪟 LOLBAS / Wlrmdr.exe

Wlrmdr.exe

Windows Logon Reminder executable

Paths

  • c:\windows\system32\wlrmdr.exe

Commands

Execute

Execute executable with wlrmdr.exe as parent process

Use case: Use wlrmdr as a proxy binary to evade defensive countermeasures

Privileges: User

wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u {PATH:.exe}

Detection

Resources