wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 CD042F94B63D67E012CFB4297D313248
SHA1 231052FA4311FA3501539E34E21A624921E3C270
SHA256 61A84B2D8CA05C11E79DB8E18FEB0FE4BE1B8D555D0BE2651516B144800153AB
SHA384 00E3F0C70E33077F4EB760F883792769FA91CC1C40F830284487E65E61A8BA2305006FF0B951AC817B66A4C82DA3FF8B
SHA512 A16B4504C0E87E4E690F947DCA488F7A47CE42B65D59AA04052FD447F71BA7FA4B3601D349B1668FBD91C460B09BC3C50FDBC9F9E179902361FE079A3A154E33
SSDEEP 6144:fQ8dDWsoA3LNCscmA5pyjSnBzzVMuFOU9A+VJyB60OHyLC7v0:fTdKsow9A5MWphOU9Jc2Hyws

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1369 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1369
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 40
C:\windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 40
C:\WINDOWS\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 41
C:\windows\system32\wermgr.exe 49
C:\Windows\system32\werui.dll 41
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\wermgr.exe 44
C:\windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\werui.dll 41

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.