wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 ED47D884E60F476815BA4973C2599468
SHA1 9907AD0CC1A8501B30C5BA37AE9D27B0E4705F2D
SHA256 F7340A244C4B736D91ABFB09B524077AE9924B9BCA85C290682A8A42730CD93C
SHA384 14A9959973627EACF3D30B13F6A852C15ABA66A5141D0FAEA9670DAC1014215E1522AE4B022635C5E030450725957CD9
SHA512 E074ED1DCE60E7A89485319C13763069972D9B73B73483A4763F6B93C2FFEE9F1BAB79EFA70087E7639614D4ADBD73E23DF2A69607D6D9E9D6C81C8C20D166E3
SSDEEP 3072:tPa+x5nCaJfTqgJb8LpA3JE5RpwnpSC9R6sU+OMFJ+yC3pwRb6JPqB604HHy7hR5:tjFbKptW0CGsU+OfVJyB60OHyLC7v0
IMP CB7CBD381341494CB334654951403435
PESHA1 A252E1F5F868B3E49E43B0015AF0BD11320639D9
PE256 37096ACE3282B3083F932D9F5BB9DEB495C0E2053FF877E4052FA89B622E997B

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.423 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.423
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/f7340a244c4b736d91abfb09b524077ae9924b9bca85c290682a8a42730cd93c/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 46
C:\Windows\system32\WerFaultSecure.exe 55
C:\Windows\system32\WerFaultSecure.exe 55
C:\WINDOWS\system32\WerFaultSecure.exe 57
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 55
C:\Windows\system32\WerFaultSecure.exe 65
C:\Windows\system32\WerFaultSecure.exe 52
C:\WINDOWS\system32\WerFaultSecure.exe 47
C:\Windows\system32\WerFaultSecure.exe 55
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 57
C:\WINDOWS\system32\wermgr.exe 46
C:\WINDOWS\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 66
C:\Windows\system32\wermgr.exe 57
C:\windows\system32\wermgr.exe 63
C:\Windows\system32\werui.dll 47
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 47
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 50
C:\Windows\SysWOW64\WerFaultSecure.exe 47
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\wermgr.exe 52
C:\windows\SysWOW64\wermgr.exe 52
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\werui.dll 47

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.