wermgr.exe

  • File Path: C:\WINDOWS\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 6F2FE9F476EE87D6240C73EDE3353FB3
SHA1 E57D3BF1041FBA0DEE6B711E2683F07526DC300B
SHA256 10CCD06B4405D2C18880EF8AED9D6F023F2D49F49F1603CB476238B2F2FA8381
SHA384 344038391C2BA4F8919A14AD49E71791A6C747F64788D74A75ED40D0F45F78E0FFBE707289F63EE9F06234D9BBA072CD
SHA512 540B12C766B383C03274D1F8F979F9A70C8588280F62D4FA2B9AD9754A11288E65F1365C4B59D9C6AC95094DE1A11BC8A4AD07D6F132AD0CD574273BE1FC5129
SSDEEP 6144:7MUQqMER1hrmygvf7WGFtBYefzVJyB60OHyLC7vet:wRqMEP1krBXc2HywG
IMP B93890654D84729F654DA6D78DC0C4C8
PESHA1 BFA3B550D6553095D5C701B3F834D6B7C08199F4
PE256 A743BAB627B7375463B9BC00AED6446031A7F7B77141D8098E50787C92BA378F

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/10ccd06b4405d2c18880ef8aed9d6f023f2d49f49f1603cb476238b2f2fa8381/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 41
C:\windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFault.exe 40
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 46
C:\WINDOWS\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 50
C:\WINDOWS\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 43
C:\windows\system32\wermgr.exe 47
C:\Windows\system32\werui.dll 43
C:\Windows\SysWOW64\WerFault.exe 46
C:\windows\SysWOW64\WerFault.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\wermgr.exe 47
C:\windows\SysWOW64\wermgr.exe 50
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 52
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 47

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.