WerFault.exe

  • File Path: C:\Windows\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 DDAA52E54923C29A2AC75BDA3CD7DADB
SHA1 FB699EDE9E65E4605CBEB32ECBFF2D113EA71932
SHA256 46CABAE805B8C9E95255814366F0E5517E30AB7E7414E4F288D6AC5072D6D140
SHA384 D4A06DB8DFE757AA774961C8001CBE6B2CCC5C190B205D75AD85D499390686887F22DE52375D6B48928A5B1D24A69A25
SHA512 FD9623031C7E7E8B8052A504AE45B03FD152C4D18D424AA22C477B1060DF2BFD38E288E5F26343C775C0F147BF0235C05E8D96E960343600520BC82F01DDC975
SSDEEP 6144:lcka7+n9gSLLQpIDniJ4buGUlCWWkgVJyB60OHyLC7v:/9gSXQpmiJRYW4c2Hyw

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 40
C:\windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 32
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFaultSecure.exe 47
C:\WINDOWS\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 46
C:\WINDOWS\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 46
C:\windows\system32\wermgr.exe 46
C:\Windows\system32\werui.dll 44
C:\Windows\SysWOW64\WerFault.exe 40
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\wermgr.exe 43
C:\windows\SysWOW64\wermgr.exe 49
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\werui.dll 41

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.