wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 B64826620DD8495C0191B536FA1B1D32
SHA1 76F80FDB20EBFFBCB511E7E1314F1862ACE226D6
SHA256 D5B2188F3BB067DF02FBC194AF4E34E538F15BD1F9AF739B260FA0E59E6A9BDC
SHA384 102694CD5EB8076CD1365B00D63084F4EC4146008FA077E6473D98F4F42F2DC6CD563CCE6A68216804498D4A4147F457
SHA512 FE57B0A4DCD79CDF2409107F4032017956D0EFB4818A8716B7420F85BA6B129F5F935496DD71EBF235BDC6640D06F26E82B339E586CF741A6BEB65FFA62F7C92
SSDEEP 6144:8aeFsyQB/uPqGI27Hq+HsD5knZhscDg6obiO4VJyB60OHyLC7vu:u2oXKxDmnZhsSBTOQc2HywG
IMP 7FD2842DEB95BE732351A40A75FE7619
PESHA1 1165FDCDF7F4F1F99D8AB00A60D93DAD5C12E878
PE256 4B78ADA4AB70973A3F3140948178A09E3C86825058FF8C48441389D1A8D8B712

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.685 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.685
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/d5b2188f3bb067df02fbc194af4e34e538f15bd1f9af739b260fa0e59e6a9bdc/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 35
C:\windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 41
C:\WINDOWS\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 46
C:\WINDOWS\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 38
C:\WINDOWS\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 40
C:\windows\system32\wermgr.exe 41
C:\Windows\system32\werui.dll 41
C:\Windows\SysWOW64\WerFault.exe 38
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\wermgr.exe 41
C:\windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 60
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\werui.dll 38

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.