WerFault.exe

  • File Path: C:\Windows\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 D6DA73EF6271A7C2B5DD7CE94393470C
SHA1 B468FC0EB9977F2F2DC9B6C2A0B10A1969A0C29E
SHA256 3B4CEFD893A605D8CC768A09AB0F34BBB02D21495EB088F582095D985944F247
SHA384 DA8B3A74D45B39C6A5FA473868BD19645CAB9F0D8EC766B813D7EF1E800B4C1E4B9179950DA823605BDEFBDDCD91547F
SHA512 DB8FF115A232D56DCDE8D584699DBE2FFE8D18F43CFD7683152F63B97E6C560542578F971C0F8B5EF98281DE58ED581779CF5F74B66FB79452FE85E2F40A41C0
SSDEEP 6144:MUSFI3/9XHlM6PamS1XFhPpDB1/VliLomj10uyHOE71+qiOBnUGVJyB60OHyLC7b:UIdK6+1XFTDbVUom50DiOBnUGc2Hywb
IMP 58646A08EC3B9CF4BF7D3A86852FFDC4
PESHA1 7C0C955D020098427237C9587B8D2223664D1421
PE256 DB33652A5DBE1F9F29DF71FA3047E6A3CA8346F668B93E5FDB8A113EFE5BDF3C

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPTSP.dll
C:\Windows\system32\dbghelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\WerFault.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/3b4cefd893a605d8cc768a09ab0f34bbb02d21495eb088f582095d985944f247/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 35
C:\windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 30
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFaultSecure.exe 32
C:\WINDOWS\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 35
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 40
C:\WINDOWS\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 38
C:\windows\system32\wermgr.exe 35
C:\Windows\system32\werui.dll 38
C:\Windows\SysWOW64\WerFault.exe 35
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\wermgr.exe 35
C:\windows\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\werui.dll 38

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.