wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 DF2AD28AC6BEDF07422537CCA6F1E637
SHA1 519C69EB52AACFF9E2123DD36C7F547EF918A274
SHA256 EDCE588F879E657B24037DD0AE3233C97CE9B0E4A115C62BBF00C983EF288A85
SHA384 0A779DD954D3526782F06129F317396CA0D78AA09F93264A32026171542A20085B7E28F8BE550EAA515365EBD8C90FD4
SHA512 5247220ED707B6BD7C866AE432276B1E5B11B61E444E13ECEC257C709F54F00A24C5DCBB1D23DDE3F061B7DE4913E6EA117D2FD0D26D1F3C3DBA015CAA87CADD
SSDEEP 3072:CteAK7APRbQ9Dijb4Z0o+AeuQEjusUlOsFJ+yC3pwRb6JPqB604HHy7hRCd39vRG:gemZj8JecusUlO/VJyB60OHyLC7vSj
IMP 70F5990F8FE8FCFC99DCF4D791F596C8
PESHA1 F801E7F188A184B71D610EE759BA835AE8800203
PE256 69435ABA5326511BF33683175A79F20DCB1A42D72EDDC17E79C43B501F0131FF

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.685 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.685
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/edce588f879e657b24037dd0ae3233c97ce9b0e4a115c62bbf00c983ef288a85/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 36
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 50
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 54
C:\WINDOWS\system32\WerFaultSecure.exe 57
C:\Windows\system32\WerFaultSecure.exe 57
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 63
C:\Windows\system32\WerFaultSecure.exe 55
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 60
C:\WINDOWS\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 47
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 58
C:\windows\system32\wermgr.exe 63
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 54
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 57
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 54
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\wermgr.exe 58
C:\windows\SysWOW64\wermgr.exe 55
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 32
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 50
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\werui.dll 52

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.