wermgr.exe

  • File Path: C:\windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 1908E6DCCB5C330CCF3F0AD7E83FA4FD
SHA1 6914D80D6308AB0D2116EC4FAEB24004B4351C59
SHA256 D7D7587C90EB23E3CC178E326A5EAB66F2528FF114BCBF92B499DD5F3924672C
SHA384 591F501FA3D410C49EC85AF8609FAA7C50CDB3F610981DA8D8EC5CB4AE9F34A7FB7E80E1072C80131A1FAFC975E75CBB
SHA512 22BB41A9159527A2AA2B8FCFDE73CF81230C3B9395A230DA9474560D1DCD8C5AA42AC720C8663D935E5A3B7A695C2E0DC50BDBF2589CA1AA3078D24E01791A00
SSDEEP 3072:5kHFyvqMc9Xhq8ItoFJ+yC3pwRb6JPqB604HHy7hRCd39vHLI1I:y6qMc9It7VJyB60OHyLC7vrmI

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.19649 (winblue_ltsb.200208-0600)
  • Product Version: 6.3.9600.19649
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 30
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 49
C:\Windows\system32\WerFaultSecure.exe 68
C:\Windows\system32\WerFaultSecure.exe 60
C:\WINDOWS\system32\WerFaultSecure.exe 63
C:\Windows\system32\WerFaultSecure.exe 65
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 68
C:\Windows\system32\WerFaultSecure.exe 69
C:\Windows\system32\WerFaultSecure.exe 57
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 65
C:\WINDOWS\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 55
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 57
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 54
C:\windows\system32\wermgr.exe 69
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 55
C:\windows\SysWOW64\WerFault.exe 24
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\WerFaultSecure.exe 61
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 60
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 61
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\WerFaultSecure.exe 65
C:\Windows\SysWOW64\wermgr.exe 68
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 35
C:\WINDOWS\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 49
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\werui.dll 50

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.