wermgr.exe

  • File Path: C:\windows\system32\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 F88816F787B827695928ACE239A9F61C
SHA1 6C525EAD5E14B82B3E71F3EC1704F380BC374A57
SHA256 F489AAE1F59E19D15F44775D77A64686503AEBE11AEC6167167088EA03B545D5
SHA384 77B66E16DD0AC3F6A9A15FF923CAB20C2DC682D3BCD6073B3D1B3AC3845862EA5AC8A436A9C637E2574CE3111297DD45
SHA512 775CDCE6629A159F29C0087A875DD7A1FF00370BD178FC2C2B07DAA704930595E19D7D508F6F09BF22E28BD522DD71C7C2808CCB1D762CCF458DCC68CCF5A683
SSDEEP 3072:qme0YOnjdftFJ+yC3pwRb6JPqB604HHy7hRCd39vHwDk:AKjZUVJyB60OHyLC7vr

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.19649 (winblue_ltsb.200208-0600)
  • Product Version: 6.3.9600.19649
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 41
C:\windows\system32\WerFault.exe 41
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 46
C:\Windows\system32\WerFaultSecure.exe 71
C:\Windows\system32\WerFaultSecure.exe 61
C:\WINDOWS\system32\WerFaultSecure.exe 71
C:\Windows\system32\WerFaultSecure.exe 66
C:\Windows\system32\WerFaultSecure.exe 61
C:\Windows\system32\WerFaultSecure.exe 71
C:\Windows\system32\WerFaultSecure.exe 79
C:\Windows\system32\WerFaultSecure.exe 63
C:\WINDOWS\system32\WerFaultSecure.exe 58
C:\Windows\system32\WerFaultSecure.exe 63
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 66
C:\WINDOWS\system32\wermgr.exe 47
C:\WINDOWS\system32\wermgr.exe 52
C:\Windows\system32\wermgr.exe 49
C:\Windows\system32\wermgr.exe 63
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 68
C:\Windows\system32\wermgr.exe 63
C:\Windows\system32\wermgr.exe 60
C:\Windows\system32\werui.dll 57
C:\Windows\SysWOW64\WerFault.exe 54
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 65
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 65
C:\Windows\SysWOW64\WerFaultSecure.exe 63
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 61
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 58
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 68
C:\Windows\SysWOW64\WerFaultSecure.exe 60
C:\Windows\SysWOW64\WerFaultSecure.exe 68
C:\Windows\SysWOW64\wermgr.exe 66
C:\windows\SysWOW64\wermgr.exe 69
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\wermgr.exe 35
C:\WINDOWS\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 47
C:\WINDOWS\SysWOW64\wermgr.exe 50
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 43
C:\Windows\SysWOW64\werui.dll 52

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.