wermgr.exe

  • File Path: C:\windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 E4F582A493C2570A23B30CAE2CEEAC19
SHA1 27B3A36233849C1037CAFCC97902720656A5E43A
SHA256 171FEC664BF454217F5E5D23B782ECAA7A07F3989703B4D6BF2C213721B0395A
SHA384 7DD0EFA07A5DD6A8DB2854B79A75DA0140F3EF19C4AEED6BFF4D9EC4EBF13773CA73EC38B3C46824D50DE1A8A74AE1B3
SHA512 D5BDE3A281C74D1B80EB3662EB37A24442E07ED465D23E03C021564F82625BB4360E1A559C683A3F40E872D7CF8F83FE54F1918FBB7D417F0A9D86A05D243C12
SSDEEP 6144:tGm+eeAMHJC24khtkqAdmMuFOKrVJyB60OHyLC7v4:tGmJeAo4khymhOWc2Hyww

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1282 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 36
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 41
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 52
C:\WINDOWS\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 47
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\wermgr.exe 55
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 43
C:\WINDOWS\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 49
C:\windows\system32\wermgr.exe 50
C:\Windows\system32\werui.dll 43
C:\Windows\SysWOW64\WerFault.exe 46
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\wermgr.exe 47
C:\windows\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 40
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 46
C:\WINDOWS\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\werui.dll 46

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.