wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 0F652BF7ADA772981E8AAB0D108FCC92
SHA1 D86FD7085E2BDC2C5B8720BD228BBFC2772B70D0
SHA256 EB391B2BB8949242B9EC4A6210F3D877C7CC6F9CE8872940D0E67FA7C12A9860
SHA384 E331077F38F3DDECD9D06272E4C9ED383D4B5A9512B80059FAAE289367899A0167AE08009CF40D29C606318C68D39602
SHA512 01D76B459C669536E2AB94E129C72D94D95E72A43E1621C624E6A600C5BE3137C54A09D58E68EEF83E7E45AA37586F553F0E95815C26B8764C710562F1676887
SSDEEP 3072:dhU23v22R5v+WX8wxFJ+yC3pwRb6JPqB604HHy7hRCd39vNGF:fU23vRu48wIVJyB60OHyLC7vm

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3686 (rs1_release.200504-1524)
  • Product Version: 10.0.14393.3686
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 43
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 43
C:\Windows\system32\WerFaultSecure.exe 66
C:\Windows\system32\WerFaultSecure.exe 60
C:\WINDOWS\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 63
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 65
C:\Windows\system32\WerFaultSecure.exe 68
C:\Windows\system32\WerFaultSecure.exe 61
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 65
C:\WINDOWS\system32\wermgr.exe 47
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 60
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 57
C:\windows\system32\wermgr.exe 66
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 55
C:\windows\SysWOW64\WerFault.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 65
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 65
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 61
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 65
C:\windows\SysWOW64\wermgr.exe 68
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 52
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 50

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.