wermgr.exe

  • File Path: C:\Windows\SysWOW64\wermgr.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 FF0B25B3A3B1244F54BA265E4A98BF68
SHA1 79EBB41FE2F9BBD621A8501416E9BE5E3C7E0218
SHA256 2E3A50377A292687519BB004D77D1A289646B59D21DD6147347D2816AC679E9E
SHA384 79C2ADB99B3B6A7D191627595B9F54BDED5A074C7B944B7FFFEF2F39DC8D92F386AE39326449F9326D11B29DDF48A5E4
SHA512 AAF12A9D3ECAFEED4DE2585676FA39895F11F6E6CFC0D13578279B8DF54446C5A18921B43BDAD01D48349593027673B44E61BD7E6B193A34E07721FBA5D08EB0
SSDEEP 6144:M1veTk9kSkjoACl21rgq45dAoQE/x1YnJjewbiOsVJyB60OHyLC7v2:Q2w8Frn4zApE/x1WgbOEc2Hywu
IMP 7FD2842DEB95BE732351A40A75FE7619
PESHA1 6A1B624AB3208B07D020AE1520594AC2A6B5EDBE
PE256 FE4950691725F45019FA097C3DFED91F567BEF3F870C1D6862C1A50086499D20

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wermgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerMgr
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1081 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1081
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/2e3a50377a292687519bb004d77d1a289646b59d21dd6147347d2816ac679e9e/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 38
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 43
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 41
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 43
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 43
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 43
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 46
C:\windows\system32\wermgr.exe 43
C:\Windows\system32\werui.dll 44
C:\Windows\SysWOW64\WerFault.exe 44
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 41
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 44
C:\Windows\SysWOW64\wermgr.exe 41
C:\windows\SysWOW64\wermgr.exe 40
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 46
C:\WINDOWS\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 46
C:\Windows\SysWOW64\werui.dll 44

Possible Misuse

The following table contains possible examples of wermgr.exe being misused. While wermgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'wermgr.exe' DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml description: Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe DRL 1.0
sigma proc_creation_win_malware_trickbot_wermgr.yml - '\wermgr.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.