wermgr.exe

  • File Path: C:\Windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 F7991343CF02ED92CB59F394E8B89F1F
SHA1 573AD9AF63A6A0AB9B209ECE518FD582B54CFEF5
SHA256 1C09759DCD31FDC81BCD6685438D7EFB34E0229F1096BFD57D41ECFE614D07DC
SHA384 B04B8CF4956C6F645104CE4AFB27E543C60C24E9FBDBBCFC3881D58802E1EEF6DF5021F3D91245C82EE7988EA9351EA0
SHA512 FA3CF314100F5340C7D0F6A70632A308FCADB4B48785753310A053A510169979A89637B8B4FEDF4D3690DB6B8B55146E323CAD70D704C4E2EDE4EDFF5284237D
SSDEEP 3072:DZe+YV3uRPQohVELTZ6K0BpiftP3UlObwm2FJ+yC3pwRb6JPqB604HHy7hRCd39S:teCvE3nw0P3UlOnVJyB60OHyLC7vcJT
IMP 70F5990F8FE8FCFC99DCF4D791F596C8
PESHA1 A4FEA0891D1E7DA6C825D42C9334DADB3AB17D26
PE256 30F9C74BEA4EAAFF4BF1756185585A831D400407D5E27DA83AB0BDE48FB8EC9F

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1081 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1081
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 43
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 44
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 54
C:\WINDOWS\system32\WerFaultSecure.exe 57
C:\Windows\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 55
C:\Windows\system32\WerFaultSecure.exe 60
C:\Windows\system32\WerFaultSecure.exe 63
C:\Windows\system32\WerFaultSecure.exe 57
C:\WINDOWS\system32\WerFaultSecure.exe 54
C:\Windows\system32\WerFaultSecure.exe 57
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 57
C:\WINDOWS\system32\wermgr.exe 43
C:\WINDOWS\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 58
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 55
C:\Windows\system32\wermgr.exe 57
C:\windows\system32\wermgr.exe 60
C:\Windows\system32\werui.dll 50
C:\Windows\SysWOW64\WerFault.exe 50
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\WerFaultSecure.exe 57
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 57
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 54
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 52
C:\Windows\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\wermgr.exe 57
C:\windows\SysWOW64\wermgr.exe 54
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 35
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 47
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\werui.dll 46

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.