wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 319F191E142B2720AE7E200F31E5413A
SHA1 6ABA542F080BF2F2B91CDEB8A571EA7BCBC6224A
SHA256 54D4F163BA41963A1E1BE46E14882BBBE98A45F635B098326D8E7DA2F2F77320
SHA384 9983201FFBE185C47F24C39B97597843D7F20F75227AA8043221E7F92B3B0CC20972CD9590D7F08DF4E4DD0ABB9538A0
SHA512 4DAAE41CFF8B95658F85EC59F06D5E754E1AF6DA1E23A00C3E23342E7459FDF0B1F45B4F4F3C743C12B02C702084261801637E92948F9C3CD9E61914AF5685D9
SSDEEP 6144:es5GeSJH/yTgTnPInbJkMuFO1VJyB60OHyLC7vSk:eVedTgjEkhOzc2HywJ
IMP D22C26E0BC8292A264EB6FB659373A7E
PESHA1 DDA0414C5BE27758991D773B66E484C789AFA895
PE256 8C5BC54EB2E9478AAF44A4B050C4699D174FD5F03D548C1F6B6F93E924055EB0

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1518 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1518
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/54d4f163ba41963a1e1be46e14882bbbe98a45f635b098326d8e7da2f2f77320/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 41
C:\windows\system32\WerFault.exe 40
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 44
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 50
C:\WINDOWS\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 47
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 47
C:\WINDOWS\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 55
C:\Windows\system32\wermgr.exe 54
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 49
C:\windows\system32\wermgr.exe 46
C:\Windows\system32\werui.dll 41
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 46
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\wermgr.exe 44
C:\windows\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 43

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.