wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 3C5D8073B8A766DBFBB2B2A8257D1E59
SHA1 661B62BD26BCFBE5F3A795AE3D9AEFDDE92387F4
SHA256 EB41AF0D81823C5CF55EF807036EDA73A85ABCFDC544C8BF13B360834AE28D76
SHA384 AAC368BE2092BF52FCA99AFCA02DA1B79B3A7B0E3B0A61498430A7499381EC27FAC6480F0700D634C6A8896981BF371F
SHA512 B2FBB2D49D89E4F3FA568C2D371751C6D0B6A186DB0AA3000E1954EE2DBBE992B139C2F74251852856E20FA7723B54888B1F3DD6CD6AAC1299B8AE0B2D26021C
SSDEEP 3072:9OaE+yHAkwqnhIFfjzhSxYcVPY5NSCKKPnKlNJXR3tR5XeNwOdFJ+yC3pwRb6JP0:9jE+yHAkwqnKxj92VQSl4KlNnteNwOEs

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1369 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1369
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WerFaultSecure.exe 33
C:\Windows\system32\WerFaultSecure.exe 33
C:\WINDOWS\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 33
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 29
C:\WINDOWS\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 35
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 32
C:\Windows\system32\wermgr.exe 32
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 35
C:\windows\system32\wermgr.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 33
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 33
C:\Windows\SysWOW64\WerFaultSecure.exe 33
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 33
C:\Windows\SysWOW64\wermgr.exe 36
C:\windows\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 40

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.