wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 DEF33E6FF117395A2F1BF5A06D0988E1
SHA1 BC6599A862E43682371671E6EF833B719CB26991
SHA256 9EDB0C76DF62B6E24A39A4C48E50B3366537ECF95EEB918B906DB107969C1B11
SHA384 2227A27B78431C01D132F16CA437C22DA70F7652A43BE5F7F84F31A0D8CAE5A62F0F743F43BF4CE5E2AD7E7E13565FBB
SHA512 70F9E8C1AFBFA136A53CBC0AEAC8671E0522E4AC0F3155AF650A9CAB3715F06409F3A1D6472052453B4573C0A3FA88F56A3B69D9981ED49C333800BAA7D085AC
SSDEEP 6144:/DE3FCMVvgu7T194YC6fcvcu3LJwlYn4obiOUVJyB60OHyLC7vRQy:S5Ybrmcvc0LJw+4TO8c2Hywh
IMP B13B01312EF92322A47FF8A93B6C4FBB
PESHA1 8D02887CD7C57C02C11E6FC3FA5626193473B870
PE256 7D01883B5E17A5C10237FC897E9346DF3BE87FC3FD05C5A22F17BE7202A16824

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.423 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.423
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/9edb0c76df62b6e24a39a4c48e50b3366537ecf95eeb918b906db107969c1b11/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 36
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 30
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 43
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 44
C:\WINDOWS\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 43
C:\WINDOWS\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 40
C:\WINDOWS\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 46
C:\windows\system32\wermgr.exe 40
C:\Windows\system32\werui.dll 43
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\wermgr.exe 47
C:\windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 46
C:\WINDOWS\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\werui.dll 40

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.