wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 2B5F4FFF330CD1B3B921DAF77330C205
SHA1 6EB05A9E95664FA1AB9A3F20679A94EE7E6A1760
SHA256 12C55E6C072775A148F04B9D2972C4E49BDB517C78D88BB09BD04540A0B4F889
SHA384 041815FC4AB08C72585D2E616A29C6F6CFC07F68F1F3CF57AD2B481A8D392F0614483C60D73BCA3A82B12797E359C60D
SHA512 6F2B30518661F5B548421E3DF70B22FAB987FF948D960EC9E3827C9EBD0520920FAF0F1B5178B7E19B1134759F49643B2B32FBB6B564B2ACF6E3FB0CB6506C60
SSDEEP 6144:CBaSuv69mopxeT+m5R7N8bl40xjPiobiFXVJyB60OHyLC7v/a:8uLuSJObl42jKTFlc2Hyw3a

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.329 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.329
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 36
C:\WINDOWS\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 40
C:\WINDOWS\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 36
C:\WINDOWS\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 44
C:\windows\system32\wermgr.exe 43
C:\Windows\system32\werui.dll 46
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 33
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 44
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\wermgr.exe 44
C:\windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\werui.dll 44

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.