wermgr.exe

  • File Path: C:\windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 20FA16AAE2860CAFC503651E1D8A0B87
SHA1 065023EF07416EB741C8F3CC7ABF9DB94BE464D3
SHA256 E009858F54086CDEC86D5C1C55E6D3DC7A678D158D863F74BE1944F3FD1BBB16
SHA384 C878EF1AF194D28D6DB2A1DDE71118F9A12AFD089ADE5563A796D0CE594A81EE2FD4E8FD3B87836FB7F7003803A6DFDC
SHA512 727F75DE21DE977A195F1BCBCD86E4FD71E11EB0279EED7540B9876786FBAD5EF97ADAC3696C72466F10D6A804977EF3FEF040625A16E910B7292474FA4758AB
SSDEEP 3072:MS659z6JESF0JBho1Q3xXfMBLICq8/HRtsHdwCAheNwOOFJ+yC3pwRb6JPqB604o:MPHz6JESF0JvoWJULbffRtciheNwOVVC

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1282 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 38
C:\WINDOWS\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 40
C:\WINDOWS\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 38
C:\windows\system32\wermgr.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\wermgr.exe 43
C:\windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 44

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.