wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 4C68AD8928D6DE43040805B45118212C
SHA1 BAAB9D6A773B03622230D04BFE101271F02EA23F
SHA256 163B8E6177378572CC370BD71F79400E5A94D39994F624B88930A8192EA000E3
SHA384 E36EF1D4DAD666EBB05B4E06EF8C85FF4EF2E67394ADC3908F3F432DBF1BD44A82F5A1773B75CA72B6271CCF52AC64F0
SHA512 F23B98C9BAB538A0732A1F81D56078FF58DE65F2D31C4785105C30718542880DC0DE902E1B63A6A5E5A36449BA6DB9665A436488F64151F640061E5F0BABCA64
SSDEEP 6144:MvelAWXB/uPqGI24HqRH4S0gC4C2kEFuobiO7VJyB60OHyLC7vtP:de5cKx4FgC4C2pcTOZc2HywR
IMP 7FD2842DEB95BE732351A40A75FE7619
PESHA1 08B1D5849BA5D61B910E3EFB524F216E70715FE1
PE256 AE79C7FFF9BCC60A5C06061ECE0C99E261157378B532CA56DFF13A0EB6E5B244

Runtime Data

Child Processes:

explorer.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.572 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.572
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/163b8e6177378572cc370bd71f79400e5a94d39994f624b88930a8192ea000e3/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 35
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 40
C:\Windows\system32\WerFault.exe 40
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 40
C:\WINDOWS\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 49
C:\WINDOWS\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 43
C:\WINDOWS\system32\wermgr.exe 43
C:\WINDOWS\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 43
C:\windows\system32\wermgr.exe 41
C:\Windows\system32\werui.dll 38
C:\Windows\SysWOW64\WerFault.exe 43
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 44
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\wermgr.exe 43
C:\windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 60
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\werui.dll 38

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.