wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 555D0661B743C909A5BF0C2B27D220FA
SHA1 05B6BA6334666DB4D1FB62136EDD9DDB29397D8C
SHA256 ACBA1FA5F47D1777984DF28F0C30F70A2DF45EEAB0AFDA76AE09EAFCD3533281
SHA384 F3BD9D8338DED973B62F9AF477A9F81782A74244B1E96B6444B67AF2254A4A510A4F2F48E44991AAA7A1C17064ABC2AA
SHA512 72C055994159B57AC44BCE932A6CE98C5F011B0ABB5C367B50025B766EF496176FA5F3C9CE26009D0D4903D3C63720BEA9CC0DB02280B1E95204A381F5730F8B
SSDEEP 3072:gb7u+0mwitTGIgM1IOr4PeK+//VFtp5jwu0fGeNwOSFJ+yC3pwRb6JPqB604HHyn:gvu+0mwitThgMm1PeKc/ztpWqeNwOZVu
IMP 331C57EDE37E373B685F86CCD4B7EFF0
PESHA1 9C0FEA0D378E6A476948AABE1C3C7AEA5CD55778
PE256 6DA12748B48C2BCD518DF728F547BB664416EE49D2E74A0522384C656DF8A742

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1518 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1518
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/acba1fa5f47d1777984df28f0c30f70a2df45eeab0afda76ae09eafcd3533281/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 44
C:\WINDOWS\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 43
C:\WINDOWS\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 44
C:\windows\system32\wermgr.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\wermgr.exe 43
C:\windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 40

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.