wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 5EEBCCABE74604D756E9F7D9A3D30C2C
SHA1 FA1538F2825519C6704C877D8B81C88FD5696EE1
SHA256 2973E50E212EFBC6623B0F69FE2E6A7CF4B5AA5A2E5A4A7895671F369AB04190
SHA384 B8CAE60F9367FDDACF59BB6AE7B7FE5B16DE5D9C977E81D0F3211E1A1E9708D8274DE17BE44390051E25FC1DCE03FE34
SHA512 8BD72AA3DB9F813CA5EA19699A34D03302F9103C954C96B8A2F086F5BC5BF13786D54BFC5F63B02BAFB03268994911019552192D34EA519180155DA74554A35B
SSDEEP 3072:xC/J8GESt87XUYG7FJ+yC3pwRb6JPqB604HHy7hRCd39vNjj:xC/Mt7XUYGmVJyB60OHyLC7vV

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3686 (rs1_release.200504-1524)
  • Product Version: 10.0.14393.3686
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 41
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 40
C:\Windows\system32\WerFault.exe 46
C:\Windows\system32\WerFaultSecure.exe 68
C:\Windows\system32\WerFaultSecure.exe 66
C:\WINDOWS\system32\WerFaultSecure.exe 61
C:\Windows\system32\WerFaultSecure.exe 66
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 69
C:\Windows\system32\WerFaultSecure.exe 66
C:\Windows\system32\WerFaultSecure.exe 63
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 66
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 49
C:\WINDOWS\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 60
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 60
C:\Windows\system32\wermgr.exe 57
C:\Windows\system32\wermgr.exe 57
C:\windows\system32\wermgr.exe 66
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 65
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 61
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 61
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\Windows\SysWOW64\wermgr.exe 65
C:\windows\SysWOW64\wermgr.exe 65
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 35
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 49
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 50

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.