WerFault.exe

  • File Path: C:\Windows\SysWOW64\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 B1634613B6AF2A89199C9FB69592FE11
SHA1 EE79CE984BAA2FBAD89380175EF6FB74FC01D98C
SHA256 23E2B8DC4B1327ED034FFCF7B04C6F52558271339A52B46D9968D7950DADC160
SHA384 AAFE111D13A6E4E3737668F0F72E3E3A1B4CD4FA380DC033021005EDC903827F9CD9C0BD902EF9647D49EE8403A53248
SHA512 EC7077446FDEE7DFA92C97343046336CA9B9C2EA37A271362A03AE2E92EA7DC179B48C37F30149D05BD842EF5F5D5F6D13511CF360536A17CC333BB9D299B79B
SSDEEP 12288:yvmb8TlogTyNUbl1vACGlxU0KuqhFugc2Hywnd:kmbwCgTyNUblmz7AuqhFugcyhnd

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.329 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.329
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.