wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 51F8D9C50CCF160D67388651DB19AC28
SHA1 4359480191243CBDB763F85BC5A31EEB5A26F759
SHA256 62A913977B0C17269B19A60727E24B4CFD10CC5C482E41EE9784AD16515FFE38
SHA384 F8F024B8726C5531F7BD4622C1B8BCF3BF1F1E5918BE33832DCF3FA984554C798278175A3C4218ABB8E3E398C606E769
SHA512 D73E691C7F90BD18AD6557F7D94BC77F6046CE71881765E4CBE629ADB787B2867FD0F5B15A9334D100DAB1AAD15D3EE787769461AF08094205F03B1DB6E83852
SSDEEP 6144:f57deIETqiBNsuYsssUeFBJVJyB60OHyLC7v5:f3VMFpc2HywR

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.329 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.329
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 40
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 46
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 49
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 54
C:\Windows\system32\WerFaultSecure.exe 50
C:\WINDOWS\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 49
C:\WINDOWS\system32\wermgr.exe 47
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 49
C:\windows\system32\wermgr.exe 50
C:\Windows\system32\werui.dll 40
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\wermgr.exe 49
C:\windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 40
C:\WINDOWS\SysWOW64\wermgr.exe 49
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 50

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.