wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 E856524BF40EB2A050195C39989C8DD5
SHA1 1844AB985105E15B224EEAFE2820FE5D12E8AE03
SHA256 23DE870A5147F2E3E9ACA874530394EF1D6F5E68A469A242A8EB1D1669FDFA01
SHA384 585A51B9CE9118F0896B6AC59C5EF8CF96D7FA2EE1DB6FC1A72F977A6CAA16A0374115C9A4B9E1A9F14CA80410118EEC
SHA512 A50DBD9B2F31FDDCEEF2F11DEFBAF0DC04C06DE15A99A2C0C3E5347E74537C689D29E447B84344E7073FDEB29B58DB18B25EC66D2438EA9D23138A9DD0826DF9
SSDEEP 3072:qNRhlAgWx+QvXKpBduvtjtuzd++hpsU+O7FJ+yC3pwRb6JPqB604HHy7hRCd39vr:YR0GHIcdbjsU+OmVJyB60OHyLC7vr
IMP 70F5990F8FE8FCFC99DCF4D791F596C8
PESHA1 03A451E1DE14F77E698B3EA6FED9E6D7CCE68C0C
PE256 BACB81361ADA74892A6FF172753B6A4A71D6369EFFBB5AB8919B709C4A557EF6

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.572 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.572
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/23de870a5147f2e3e9aca874530394ef1d6f5e68a469a242a8eb1d1669fdfa01/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 40
C:\windows\system32\WerFault.exe 44
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 46
C:\Windows\system32\WerFaultSecure.exe 61
C:\Windows\system32\WerFaultSecure.exe 54
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 57
C:\Windows\system32\WerFaultSecure.exe 61
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 60
C:\WINDOWS\system32\WerFaultSecure.exe 55
C:\Windows\system32\WerFaultSecure.exe 57
C:\Windows\system32\wermgr.exe 54
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 60
C:\WINDOWS\system32\wermgr.exe 44
C:\WINDOWS\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 66
C:\Windows\system32\wermgr.exe 55
C:\windows\system32\wermgr.exe 68
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 58
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\wermgr.exe 60
C:\windows\SysWOW64\wermgr.exe 57
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 32
C:\WINDOWS\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\werui.dll 47

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.