Similarly as in the previous case, wermgr.exe accepts many command line arguments:

-boot
-clean
-datacollectorcreate
-nonelevated
-outproc
-purgestores
-queuereporting
-queuereporting_svc
-queuereporting_s_machine
-upload
-uploadforce
-waitforpendingreports

The -boot one is interesting as it triggers the execution of program’s path that attempts to load the following phantom DLL:

C:\Windows\System32\offdmpsvc.dll

As such, placing your payload in the aforementioned DLL will lead to its execution when you launch the following command:

wermgr -boot