wermgr.exe

  • File Path: C:\WINDOWS\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 AAB247EB21C769598ED0B28D808863A1
SHA1 D632E1DB5FFB9928E1FBEBE53E02DE7FF837ED64
SHA256 47DCC9FA193D17FEC71EF1314134489A925B3782BE0DEA5786CD7A72715E238D
SHA384 2FCF94A0CD8AFFEA0679EE0698189857AA164D9B928D24DEC2E4BA1629BE11D0864D22232FCA55C2DC304513A19E6C4F
SHA512 F3EF39DE7EA17C2C15B96918286BE0E845594B497173291459E9FEAE0FCC9B7621484D22230A4E138BDF328992A09114373BC1B7619684D7135F6A637310B292
SSDEEP 6144:yeR8uEfTkyw7cvkZwAWBYr4VJyB60OHyLC7vjt:B8NT8QvOwbBuQc2HywJ
IMP 6DAA0168C80857AC6E461C66773086FF
PESHA1 F93018E796874335FA54D575C3160B3BB5807C8D
PE256 657F72E8E7D3FDFDEE637D2BCB2BDA590B0B1CB961349C9F58BB7F401F89F4CF

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/47dcc9fa193d17fec71ef1314134489a925b3782be0dea5786cd7a72715e238d/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 54
C:\WINDOWS\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 49
C:\WINDOWS\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 49
C:\WINDOWS\system32\wermgr.exe 52
C:\WINDOWS\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 47
C:\windows\system32\wermgr.exe 50
C:\Windows\system32\werui.dll 46
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 44
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\wermgr.exe 52
C:\windows\SysWOW64\wermgr.exe 49
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\werui.dll 50

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.