wermgr.exe

  • File Path: C:\WINDOWS\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 C96DD16FBFACF3E22A1C0B7DCFDFCBBB
SHA1 136CFB077047C8181AFC106DA2284B477EAA85D3
SHA256 C5EC3FCA29D708229326CD91CDCF2F7FF82F8BFB23EA686D81ABBB28F54C887D
SHA384 0D7F2D6445605A9D3652E594094A3C925A98E29A7FB6D51391C6104F3B6E562217517440EFDFEF0B80685FF768A6E845
SHA512 06C9A0EF704B83906136024011C8594ADD2662260C17F6A1752221EAD554E8166E5B6EFAA0FFAB9DC64769BB38605104D248634345D31006F2B1A0ABFE220C35
SSDEEP 6144:7wiWcFz+payWJNZnKFzOaXVJyB60OHyLC7v6:7wQFz8W9OOalc2Hywy

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.836 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.836
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 44
C:\windows\system32\WerFault.exe 41
C:\Windows\system32\WerFault.exe 32
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 44
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\WINDOWS\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 61
C:\Windows\system32\WerFaultSecure.exe 50
C:\WINDOWS\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 54
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 46
C:\windows\system32\wermgr.exe 52
C:\Windows\system32\werui.dll 46
C:\Windows\SysWOW64\WerFault.exe 46
C:\windows\SysWOW64\WerFault.exe 33
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\wermgr.exe 47
C:\windows\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 41
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\werui.dll 43

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.