Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 08:11:55	2025-06-13 08:42:40	1845 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,991 [root] INFO: Date set to: 20250612T19:22:32, timeout set to: 1800
2025-06-12 20:22:32,512 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:22:32,512 [root] DEBUG: Storing results at: C:\iDarMfdE
2025-06-12 20:22:32,512 [root] DEBUG: Pipe server name: \\.\PIPE\IMPWOAOm
2025-06-12 20:22:32,512 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:22:32,512 [root] INFO: analysis running as an admin
2025-06-12 20:22:32,512 [root] INFO: analysis package specified: "exe"
2025-06-12 20:22:32,512 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:22:33,325 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:22:33,325 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:22:33,325 [lib.common.common] INFO: wrapping
2025-06-12 20:22:33,325 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:22:33,325 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\IMEWDBLD.EXE
2025-06-12 20:22:33,325 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:22:33,325 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:22:33,325 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:22:33,325 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:22:33,528 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:22:33,559 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:22:33,590 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:22:33,590 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:22:33,606 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:22:33,606 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:22:33,606 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:22:33,606 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:22:33,606 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:22:33,606 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:22:33,621 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:22:33,621 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:22:33,621 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:22:33,621 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:22:33,621 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:22:33,621 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:22:33,621 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:22:33,621 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:22:33,778 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-12 20:22:33,778 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:22:33,778 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:22:33,778 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:22:33,778 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:22:33,778 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:22:33,778 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:22:33,778 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-12 20:22:33,778 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:22:33,778 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:22:33,778 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:22:33,778 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:22:33,778 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:22:33,778 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:22:33,778 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:22:33,778 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:22:33,793 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:22:33,793 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:22:33,793 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:22:33,793 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:22:33,793 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:22:33,793 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:22:33,793 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:22:33,793 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:22:33,793 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:22:33,809 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:22:33,809 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:22:33,824 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\NmhMelLB.dll, loader C:\tmp_gell1p8\bin\TfDuBatI.exe
2025-06-12 20:22:33,871 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:22:33,871 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-12 20:22:33,903 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:22:33,903 [root] INFO: Disabling sleep skipping.
2025-06-12 20:22:33,903 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:22:33,903 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:22:33,903 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:22:33,903 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:22:33,903 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:22:33,934 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:22:33,950 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:22:33,950 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:22:33,950 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6000, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-12 20:22:33,950 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:22:33,965 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:22:33,965 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:22:33,965 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-12 20:22:33,965 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:22:33,965 [ro <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 08:11:55	2025-06-13 08:42:23	none

File Details

File Name	IMEWDBLD.EXE
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	306176 bytes
MD5	f2c87a7ee17470cfaa346cd2800c0ec7
SHA1	60afe5d8b449d44f097adf1dffbcc042f7503e7c
SHA256	90e0f7d70da50c178e8ab75b217ca475cd9d64553ae40d65f6995ee8fbe21b96 [VT] [MWDB] [Bazaar]
SHA3-384	d212d0067ff21ba57bc2a77d2067f98090e5fbf08e92d4da4ba16c0c0f560a5916b417108d4532cd45099eaf895864bf
CRC32	850E9BFF
TLSH	T160543912E7A440BAE1F35A3180AA633068B6BCB41B31468F7751BB5F2DB06C15F35B5B
Ssdeep	6144:OI9YzjCcQ9utidKrVvI9p+hOHOtU/sLRW3Yol6qV37Gs/UEVTppEX+:RYzGcAGidKrVvI9p+MHOi/003Fb37GsT
PE	File Strings BinGraph Vba2Graph VirusTotal

CertFindCertificateInStore

SelectObject

0o0Z0W0f0O0`0U0D0

7$707P7`7

=This dictionary is signed, but the digital sign has problems.PThe digital signature of this dictionary cannot be verified by a trust provider.

.?AV_Generic_error_category@std@@

InstallDate

ReleaseMutex

GetStartupInfoW

xQ!jWW

`WJ8[

%d : %s %s

CreateSemaphoreExW

QQSVW

Cryptui.dll

6+6K6

262E2

g0Y0

no space on device

Ph`;@

EndDialog

__RTDynamicCast

PolicyManager_GetPolicyInt

FNRM_CleanupGarbageFiles

D$4Pj

RegSetValueExW

adjectivalnoun-no

%3!d!

place-village-mura

not a directory

:=:D:O:W:`:m:

;>;Y;_;

list<T> too long

</security>

-encrypt

??0exception@@QAE@ABQBDH@Z

-pluginguid

98!1!A)

7H7U7m7

S0Y04X

SelectionNamespaces

api-ms-win-core-string-l1-1-0.dll

`.data

4$5F6

system

Microsoft Corporation

LCMapStringW

verb-5-s

memcmp

DialogBoxIndirectParamW

PathFindFileNameW

type="win32"

_XcptFilter

_lock

9!9@9Q9

EAIME_OEDProcessHeaderEnd

Ooytz

Microsoft IME Open Extended Dictionary

name-family

CertGetNameStringW

6D6`6

%s %s

resource unavailable try again

_initterm

.?AVlogic_error@std@@

.idata$5

LoadLibraryW

818=8I8U8

?4?g?

not connected

vW[&{

0k0`0Q0h

protocol_not_supported

1.3.6.1.5.5.7.3.3

originName

2,2H2`2

s){mZ

internal\sdk\inc\wil\Resource.h

wcschr

OutputString

141@1`1h1p1|1

Microsoft

=:=I=R=

NtQueryWnfStateData

1#1A1_1

operation_in_progress

0k08^k0

Software\Microsoft\IME\PlugInDict

>">*>6>z>

.didat$2

CommentData1

.?AVCDictionaryBuilderChs@@

.?AVCAtlException@ATL@@

PWWWWWj

peo0

.data$r$brc

wt, ccs=UNICODE

4,4;4H4]4

;G\t8

Phx6@

6e7l7

t?j"Yf9

host_unreachable

??0exception@@QAE@ABQBD@Z

303P3t3

PartOfSpeech

1F2O2U2]2c2s2

Click OK to install this dictionary. Click Cancel to stop using this dictionary.

connection refused

read only file system

kE!R!,)J

5uP[~{

SleepConditionVariableSRW

_exit

tDjXSP

place-station

<F<U<

6#6X6

O(u[0Z0

operation would block

MoveFileExW

=<>P>

-unrg

.?AVCBStr@Comutil@@

yZkBUZZ!Mc

9-9O9Z9l9t9y9~9

QQSVWj

$;B@LE

GetFileTime

%hs!%p:

Last Update

2i3t4

O(uW0_0S0h0n0j0D0XS

7&797A7R7

7)747I7V7_7h7q7z7

0F0k0j0

: [DictionaryEntry]

vLh`5@

libU\

3 3(30383@3H3P3`3

adjective-me

: (%s, %s, %s): [DictionaryEntry]

/h(b@

.tls$ZZZ

CoCreateInstance

Whp7@

GetCommandLineW

S-Nk0

5)6T6

Sh ;@

GetFileAttributesW

.?AV?$CNodeItem@V_bstr_t@@@@

WilStaging_02

argument out of domain

t,;8u

0n0\O

TMRzz

.CRT$XIA

;0;8;@;L;T;

0(1C1H1U1]1d1m1t1y1

90979u9

s8;s<t8

;;;Z;~;

: (%s, %s): [DictionaryEntry]

connection_already_in_progress

0S0n0XS

Error: '%s' is duplicate.5Error: The number of 'DictionaryEntry'exceeds %d,000.

generic

DestroyIcon

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

0W0_0~0~0k0W0f0J0M0~0Y0

FileDescription

;L<n<

:SWVVj

4a4m4u4

RtlSubscribeWnfStateChangeNotification

k06RP

1J2Y2l2

ntdll.dll

no stream resources

7$7,747<7H7h7t7|7

WinVerifyTrust

Software\Microsoft\IME\15.0\IMEJP\directories

10.0.17763.1

directory not empty

kM!1JQ

vswprintf_s

idiom

? ?(?4?T?\?d?l?t?|?

InitializeCriticalSection

WakeAllConditionVariable

SetThreadPriority

win:Informational

[L0B0

W0f0O0`0U0D0

0-NbkY0

.?AV_com_error@@

545<5H5h5t5

network reset

SetWindowLongW

Nd0n0

profapi.dll

.rdata$r$brc

version="6.0.0.0"

9?9K9f9r9

VVWhP

uh|J@

0 0@0H0T0t0

>)>U>[>

message

no protocol option

originatingContextName

<a>Learn about potential risks of using dictionaries.</a>

343H3_3

PlugInGUID:%s

09k)i

??0exception@@QAE@ABV0@@Z

memmove_s

vk0o0

< <(<0<8<@<H<P<X<`<h<p<x<

FNRM_UnregisterAllPerUserFilesExcept

'W.~b_

.rdata$zETW9

$Compressed dictionary file is empty.VCompressed dictionary contains multiple dictionaries. Only one dictionary is expected.

no buffer space

0$0,040<0D0L0T0\0d0l0t0|0

suffix-city

_write

name-given

;';r;

192p2

F95\}B

GetSidSubAuthorityCount

A9p<u

TerminateProcess

fn04X

6@6H6r6

(0x%08x:%s)

'%s'

imewdbld.exe

IsDictionaryUsed

CompareStringW

!JJA1

t#hh}B

0f0D0~0[0

bad_address

is ready to use.

878`8l8~8

5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5

040<0B0T0i0q0w0

Spe"N1Y

Cancelling Optimization...

.text$x

0/0D0V0k0

not_connected

_wtoi

too many links

9.:|:

SetFileAttributesW

SetDlgItemTextW

YRichF

.xdata$x

0S0n0

GetModuleHandleW

Segoe UI

GetTimeFormatW

wcsnlen

Error: Invalid name space '%s'.

2'2C2_2z2

=#>s>

inappropriate io control operation

5!515A5Q5a5g5l5

>(>4><>p>

.CRT$XLZ

.giats

kernelbase.dll

.rsrc

AllowJapaneseIMESurrogatePairCharacters

CommonWord

899\9z9

connection reset

s!4{!

'02070J0U0

0L0zv

%2!d!

213^3

connection aborted

OriginalFilename

win:Start

4$4E4b4

CertCloseStore

9<9D9L9T9\9d9l9t9

=7=a=m=|=

destination_address_required

en-us

F9q0v$

FileTimeToSystemTime

9%9P9[9

9":U:

m\Pbk

5.5d5

G?imy10QR$,

PhHJ@

noun-sa-adjectival

6 6(646T6\6d6p6

; ;,;

MMZ_hR/9:87!

Y__^[

EnableWindow

<2<{<

CryptUIDlgViewSignerInfoW

:M;i;p;

Software\Microsoft\IME\15.0\IMESC\WebDictionary

TicketFilePath

lstd::exception: %hs

DictionaryEntry

NtUpdateWnfStateData

9$9,949<9D9L9T9\9h9

CloseHandle

Ph(J@

k01YWeW0~0W0_0

@.reloc

.dctx

internal\sdk\inc\wil/Staging.h

9P9`9q9

.?AV?$CNodeItem@I@@

fwprintf

OpenExtendedDict

LoadResource

_purecall

kU1)1$

_/f&T

0~0Y0

OCQk0

timed_out

GetSystemTimeAsFileTime

failureCount

__p__fmode

0~0_0o0

233x3

6%636|6

0k0n0

Unknown error 0x%0lX

jWX_]

SetUnhandledExceptionFilter

ja-jp

Options

network down

J'(Uu

executable format error

%s\Microsoft\IME\15.0

PolicyManager_IsPolicySetByMobileDeviceManager

.text

Version

IDispatch error #%d

: (%s, %s): [%s] '%s'

featureId

:$:,:4:<:D:L:T:\:d:l:x:

.rdata$brc

SetWindowPos

0n0_0

originatingContextId

?This function is restricted by Group Policy. Setup is canceled.

ddegh_vxEFEB64

Wh L@

.?AVCFolderLocatorJpn@@

Microsoft IME

EncryptAllPlugInDict

https://

LocalAlloc

0c0h0

.idata$4

.?AVCNodePosItem@@

1$1,141<1D1L1T1\1d1l1t1|1

: (%s, %s):

202@2T2h2

<4=V=

.rdata$T$brc

GetTokenInformation

peL0

__dllonexit

connection_aborted

identifier removed

fclose

_close

QQVW3

RegEnumKeyExW

Microsoft-Windows-IME-OEDCompiler

Error:

imewdbld_silentmode_error.txt

*h(K@

0f0D0~0Y0L0

Dictionary

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

uW0~0W0_0

name-construction

COMCTL32.dll

G0;F0s

9F:c:

??_V@YAXPAX@Z

Dictionary Name

8Js!IZ

no link

CertFreeCertificateContext

08^k0

bad allocation

DeleteObject

#0W0c0n0s0

GFIPTJ&'!

SetLastError

.rsrc$01

CallContext:[%hs]

place-ward

EncryptFileW

DebugBreak

&Safety Settings

_read

L0ckW0O0

LongName

TextInput

.idata

OffsetRect

qJ{)ERk

Error opening input file %s

<$<,<p<

e5uP[~{

Sh0;@

api-ms-win-shell-shdirectory-l1-1-0.dll

<%<-<5<=<I<R<W<]<g<q<

!Warning: [%s] Invalid value '%s'.4Warning: [%s] Invalid value '%s'. Defaulted to '%s'.MWarning: [DictionaryInfo] Language '%s' is not supported. Ignoring this node.GWarning: [DictionaryInfo] Language is not specified. Defaulted to '%s'.IWarning: [DictionaryInfo] Language '%s' is duplicate. Ignoring this node.

CoInitialize

;4;J;S;\;k;r;

O(uY0

CHANx

GetWindowRect

D$$PW

EnableLUA

permission_denied

1.1:1n1w1

_CxxThrowException

636f6

Filtered by safety filter:

.?AV_System_error_category@std@@

place-town-machi

232H2W2

Registered:

u-9~$t(

LeaveCriticalSection

resource deadlock would occur

:/:m:s:

.?AV?$CNodeItem@_N@@

0-NbkW0f0D0~0Y0.

too many files open in system

:S;m;s;y;

address not available

ShHb@

.?AVexception@@

callContext

message size

{),11

!B!Yk

GetDateFormatW

_controlfp

.text$yd

9|$Ps

IME

0)R(u

1*1B1[1s1

adverb-suru

_wsopen_s

Microsoft IME Open Extended Dictionary Module

5>5k5

suffix-prefecture

8J{!Ys

QQh|6@

CommentHeader3

u7f9LF

3*4h4

IME_OEDBuild

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

ConversionMode

verb-5-aw

AcquireSRWLockExclusive

0F0h0W0f0D0~0Y0

'URL'

qcRk]R

< <c<

protocol not supported

Software\Policies\Microsoft\IME\Shared

LegalCopyright

0o0!q

The digital signature of "%s" is invalid or cannot be verified. Silent mode installation requires a dictionary with a valid digital signature.

0k0o0

4!4&4,4A4Q4[4q4

PRVAX

function

2?2b2r2

6QPQS

Enabled

QQSVW3

AllowIMENetworkAccess

8:8a8

<Js)]s

>)>G>S>X>

=D>J>T>`>p>

G?Gv-.&2

originLineNumber

suffix-personalname

0W0f0O0`0U0D0

eW[n0XS

PhxP@

=$>(>0>8>P>

.?AVCRegBase@@

HeapDestroy

;8<e<

verb-euphonyu-aw

.rdata$zzzdbg

_vsnprintf_s

&Check Update

.rdata

SOFTWARE\Classes\CLSID\%s\InprocServer32

?4//??

api-ms-win-core-errorhandling-l1-1-0.dll

F<|N@

too many files open

7*8E8m8

verb-irregular-r

>!>)>h>p>

`ck(W

:https://go.microsoft.com/fwlink/?LinkID=232834&clcid=0x804

0 0(0L0\0d0l0t0|0

wcsstr

no lock available

IsWow64Process

fk0{v2

bk01YWeW0~0W0_0

verb-5-b

="=E=

PSjyW

8$8,848<8D8L8X8x8

WaitForSingleObject

address in use

!B)<BZZaRk

6%7A7j7

OpenProcessToken

!kaJk

323?3

GetModuleFileNameA

%2!s!

suffix-village2

1R1_1

MessageBoxW

owner dead

S0n0_j

FindResourceExW

Tk0OUL

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

g0M0~0[0

memcpy

.idata$3

7]9x9

919I9d9~9

invalid seek

Ph\O@

.didat$5

PSSh

?I?e?

Filename

SetErrorMode

PathRemoveExtensionW

is a directory

SourceUrl

RtlDllShutdownInProgress

000004b0

,00040<0`0d0h0l0t0x0|0

'DictionaryEntry'

8Bs9y

<N<W<

4(4@4[4m4x4}4

Task ID: OED Compiler Build Dictionary

string too long

JMSXML 6.0

'%c'

{9{mZ!

ExpandEnvironmentStringsW

no child process

SetFileTime

LEVL@

Not signed

__setusermatherr

??0exception@@QAE@XZ

HeapFree

vfwprintf

invalid string position

no message available

_except_handler4_common

currentContextId

windows\feime\win8\ea-shared\externaldictionary\webdictionary\clexiconfileloader.cpp

GetTickCount

,ck!E

N:Nzz

0 0&0-0L0

2$2,242<2D2L2T2\2d2l2t2|2

PSShhP@

.CRT$XIY

2:3c3

323B3b3v3

PostMessageW

wcstok_s

IME_OEDProcessHeader

^hdPa

t,;:u

WEVT_TEMPLATE

Ncknx

6D6_6

adjective-garu

s!{mZ

noun-adverb

?'?D?

0x0n0

O(uk0

Microsoft-Windows-IME-OEDCompiler/Analytic

Zy1Bsq1

32363<3@3F3J3Q3a3r3v3|3

connection_reset

EventSetInformation

1,1H1l1

CryptMsgGetParam

7Q7`7t7

When this option is selected, the entries in the dictionary that can decrease conversion accuracy or performance are filtered out. Clearing this option will use all entries in the dictionary.

=$=+=4=@=Q=o=x=

OutputDebugStringW

SystemTimeToTzSpecificLocalTime

2H2a2

ReturnHr

suffix-ward

msctls_progress32

SHELL32.dll

P}}Btf

%d : %s %s

0L0+T~0

WINTRUST.dll

<A=_=z=l>

adverb-tosuru

:https://go.microsoft.com/fwlink/?LinkID=232834&clcid=0x411

VQPWV

.rdata$sxdata

:2;:;g;

VWj43

Task ID: OED Compiler

Publisher

CommentData2

EAIME_OEDUnregisterStart

place-county

r-+>+

verb-1

;Digital Signature of Microsoft IME Open Extended Dictionary/The digital signature of this dictionary is OK.

CreateProcessW

You are attempting to replace "<%1!s!>, version %2!d!" with an older version %3!d!. Do you really want to replace your current dictionary?

EAIME_OEDUnregisterEnd

:0:8:@:H:P:X:d:l:

adverb

ShellExecuteW

verb-5-m

uW0~0W0_0

.CRT$XCAA

tk0o0

:$:4:D:P:p:x:

originCallerReturnAddressOffset

processorArchitecture="*"

L$4^3

)R1<B

ReleaseSRWLockShared

DictionaryPath

121V1

ADVAPI32.dll

wcsncat_s

connection already in progress

4"4E4U4e4u4

adjective

no message

6$6(686<6L6P6`6d6t6x6

CreateThread

.00cfg

_wcsicmp

<i?Gim}e*)d

FreeLibrary

k@Fi=

FailFast

0c0f0

EAIME_OEDCompilerStart

.?AVIFolderLocator@@

Rg0Y0

?3?D?M?

6$6*6C6

;.<l<

CompanyName

>(>9>J>U>]>

GetCurrentThreadId

WaitForThreadpoolTimerCallbacks

797\7w7

verb-5-k

7A9d9

0>0G0

: (%s, %s): [%s]

>,><>D>L>T>\>d>l>t>|>

agpe:

.Error: Xml Parse error(0x%08x) Line %d : %s %s*Error: Encountered fatal error(0x%08x:%s).8Error: Invalid root node '%s'. 'Dictionary' is expected.

^x0n0

<,<3<><

DictionaryInfo

O(uW0~0Y0

message_size

GetProcessHeap

: (%s, %s): [DictionaryEntry]

adjective-syu

0_0XS

za0~0Y0L0

Sleep

: (%s, %s): [InputString]

\Dicts

EnabledFeatureUsage

.?AVCNodeUrlItem@@

.?AVCWebDictCompilerUI@@

H0f0D0~0Y0

place-village

GetUserDefaultUILanguage

MSXML 6.0

CommentInsertion

D$(PW

879p9

.?AV_bstr_t@@

434a4t4

Ph0L@

symbol

value too large

.?AVCDictionaryBuilderJpn@@

<"<)<@<X<a<m<u<

?4?D?H?`?d?h?p?t?x?

character

|oiiiii

<$<@<H<P<\<d<

RegOpenKeyExW

ReleaseSemaphore

network_unreachable

wcsncpy_s

CopyRect

ExcludeJapaneseIMEExceptJIS0208

6E6s7

.?AVCImeDictAPIHeartBeat@@

Code Sign

_f9>u

.?AUIUnknown@@

noun-za

LockResource

VhHb@

!J!Qc

gcknx

Setting and Update Dictionary

8D9H9M9S9Y9_9e9k9q9w9~9

callerModule

081M1u1

SgqY0

CloseThreadpoolTimer

DictionaryInfo

L0Y0y0f0!q

place

FNRM_GetRegistrationLevel

ResolveDelayLoadedAPI

FNRM_SetActiveFile

t$pVQ

NInformation: CommentHeader%1!d! is not specified in DictionaryInfo of

:G;M;

vpeW[~{

pronoun

not supported

839e9

3!3/3A3\3l3r3

:(:F:j:t:

4:4v4|4

616T6o6

>1>B>

InputString

EAIME_OEDRegisterStart

.?AVCGroupPolicy@@

8$808P8

FeatureVariantUsage

.didat$7

:3;D;j;q;

adverb-na

network_down

Nk0y_

memmove

t<SW3

(caller: %p)

When this option is selected, words in the dictionary always show in the comment window, even if there are no comments, so the source dictionary is visible.

Task ID: OED Compiler Regsister Dictionary

interrupted

_callnewh

StringFromGUID2

__set_app_type

=>=a=

=$=X=h=t=|=

FeatureUsage

adverb-da

Seeej`|

'Dictionary'

<$<6<=<

LoadIconW

noun-adjectival

XPQSh

: (%s, %s): %s

%d,000

6]6h6v6

The language of this dictionary does not match the installed IME languages. Please make sure that you install the correct language version dictionary.

,Microsoft IME Open Extended Dictionary Error

u$WSQ

.rdata$zETW2

ExcludeJapaneseIMEExceptShiftJIS

number

SizeofResource

0~0[0

wrong_protocol_type

8_^[]

D$(PQ

ShPc@

too many symbolic link levels

not enough memory

AcquireSRWLockShared

ReleaseDC

LocalFileTimeToFileTime

Microsoft IME Open Extended Dictionary Safety Settings

.?AVbad_alloc@std@@

1/1<1

o06RP

?*?0?Y?

Rj0$Pg0Y0

<0<8<@<H<L<P<X<l<

WhHb@

cU)19A

1H1N1

;4<F<l<r<}<

Priority

SHLWAPI.dll

filename_too_long

4$4,444<4D4L4T4\4d4l4t4|4

suffix-village1

This dictionary is not signed.:https://go.microsoft.com/fwlink/?LinkID=232830&clcid=0x409KFailed to verify the digital signature of this dictionary by unknown error.:https://go.microsoft.com/fwlink/?LinkID=232834&clcid=0x409

adverb-to

name-company

N*NNO(

PSShTe@

.?AVCNodeItemBase@@

7!8D8_8

InitOnceComplete

u$hpJ@

RSDS=

operation_would_block

RegQueryValueExW

'%s'

VarFileInfo

2$2,242<2D2L2T2\2l2t2|2

G:Gv+E('5

1,1F1Z1e1j1

: (%s, %s): [URL]

T$0QQV

Shpc@

no such file or directory

Specified options are invalid, or required parameters are missing.KAn error occurred while initializing an Open Extended Dictionary component.JThere is a problem with the dictionary file. Please try to download again.?An error occurred while registering the dictionary to property.\The dictionary file cannot be created. Please verify that the destination path is writeable.LA code-signed dictionary cannot be replaced by a non-code-signed dictionary.

DictionaryHeader

;I;[;j;w;~;

6(6L6T6\6d6l6t6|6

t8f91t3

AllowJapaneseNonPublishingStandardGlyph

originModule

_vsnwprintf

&Safety Filter

RtlUnsubscribeWnfNotificationWaitForCompletion

:(:G;

RegDeleteTreeW

CreateFileW

>#?>?k?

%3!d!

.?AVCNodeItems@@

FOpeW[~{

prefix-number

CopyFileW

232<2P2Y2{2

Local\SM0:%d:%d:%hs

place-town-cho

WhHc@

address family not supported

R-Nk0

UxTheme.dll

stream timeout

FormatMessageW

module

??3@YAXPAX@Z

W}}Bvf

_wcstoui64

95\}B

N,^;M t

5$545@5H5

CoUninitialize

5%50595?5M5\5i5~5

u%Wj|

Error: [%s] Invalid value '%s'.3Error: [DictionaryInfo] No valid language is found.GError: No vaild [DictionaryEntry] is found. Dictionary creation failed.&Error: [SourceURL] String is too long.

PPh|6@

3Q4_4j4o4

10.0.17763.1 (WinBuild.160101.0800)

GetTabbedTextExtentW

:yW0~0Y0

DummyFileName

LastUpdateTime

L$ Vf

DeleteCriticalSection

RaiseException

GetWindowLongW

api-ms-win-shcore-obsolete-l1-1-0.dll

PWWh<Q@

KL^fR1:76

&Unused words only appear in the candidate list.

: [SourceURL]

.dctxc

io error

.CRT$XLA

9,949@9`9l9t9

shortcut

475>5

operation canceled

4%4;4H4b4

: Xml

.?AVCFolderLocatorChs@@

9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9

W0f0D0~0Y0

[DictionaryEntry]

http://

4:5n5w5

HeapReAlloc

; ;$;(;,;0;4;8;<;@;H;P;X;`;h;p;x;

;(;B;M;W;b;|;

_wtoi64

D$@j%P

Creating dictionary...

: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:

Error: '%s' is missing.

publicKeyToken="6595b64144ccf1df"

4TVXE]

262M2

\O(u<

PathFindExtensionW

&Microsoft IME Open Extended Dictionary

CryptDecodeObject

%s\%s_%s.dctr

F@PhL

3$3,343<3D3L3T3\3d3l3t3|3

=h?t?

;+<4<f<

enabled

No0g0M0~0[0

ExcludeJapaneseIMEExceptJIS0208andEUDC

interjection

originFile

PQj$Z

8I8h8t8z8

invalid_argument

5 505@5P5`5p5

api-ms-win-core-processthreads-l1-1-0.dll

1/2O2j2

&Safety settings

Information

SetWindowTextW

S0W0k0O0D0-

09c)m

verb-5-r

444X4|4

747f7z7

AllowIMELogging

__wgetmainargs

ReleaseSRWLockExclusive

u8h0L@

featureVersion

C0f0{0

EnableMenuItem

uNPPV

=K=n=

SourceURL

VWj@3

doesn

,c9!E

[%hs(%hs)]

0f0D0

QueryPerformanceCounter

.;Warning: [%s] String is too long. Truncated string to '%s'.:Warning: (%s, %s): '%s' is duplicate. Ignoring this entry.+Warning: (%s, %s): [%s] Invalid value '%s'.>Warning: (%s, %s): [%s] Invalid value '%s'. Defaulted to '%s'.@Warning: (%s, %s): [%s] Invalid value '%s'. Ignoring this entry.EWarning: (%s, %s): [%s] String is too long. Truncated string to '%s'.@Warning: (%s, %s): [%s] String is too long. Ignoring this entry.<Warning: (%s, %s): [URL] String is too long. Ignoring 'URL'.lWarning: (%s, %s): Safety filter is enabled. The maximum number of the word is %d,000. This word is ignored.]Warning: (%s, %s): Safety filter is enabled. The word whose reading length is one is ignored.gWarning: (%s, %s): Safety filter is enabled. The part of speech %s is restricted. This word is ignored.

threadId

MSXML6.0

QQSV3

R9<9!

141<1D1L1T1`1

msvcrt.dll

StringFileInfo

Software\Microsoft\IME\15.0\SHARED\FileNameRedirection

process

ole32.dll

Microsoft YaHei UI

'`n0B0

0-NbkW0~0W0_0

<Q<`<

place-prefecture

0`0Q0

>!?M?

already_connected

place-city

.?AV_Iostream_error_category@std@@

1f;2u

.text$mn

broken pipe

ShortName

failureId

4:5M5_5

protocol error

noun-proper

0g0n0

PhXb@

:https://go.microsoft.com/fwlink/?LinkID=232830&clcid=0x411

ZQJ{RQJ1

Language

text file busy

addend

EventWriteTransfer

-testing

InitCommonControlsEx

http://www.microsoft.com/ime/dctx

!B)]s

jAiiii

>g?t?

g5uP[~{

?;?W?r?

address_family_not_supported

0o0Z0Y0h0

ci1Bca)

'`k0d0D0f0

When this option is selected, unused words are displayed in the candidate list, but are not used for conversion. When this option is cleared, the conversion result is calculated including unused words.

868`8

.didat$6

%DH^])

{}{JJY

0FO/f

t$<WP

:5;W;d;p;

timed out

IIKPRRN.('" B

IsDebuggerPresent

=,=?=Q=[=b=

=;=R={=

.rdata$zETW1

X]\wVMKsbag

0f0D0j0D0

0W0O0o0

t8f98t3j

7#8-8X8g8

Using a quality IME dictionary usually increases conversion accuracy. However, a poor quality IME dictionary can negatively affect accuracy and performance.

CoCreateGuid

permission denied

:(:7:?:

_wcmdln

: [DictionaryInfo]

RaiseFailFastException

state not recoverable

verb-5-t

3$313C3M3W3`3f3o3t3

jXhplB

ReverseConversion

4"4*4K4`4n4z4

4,444@4`4l4

6#61686=6R6[6i6|6

0:0S0d0n0

7/8U8r8

.CRT$XCA

3m4s4

4$5S5t5

KERNEL32.dll

0f0D0~0Y0

GetThemeSysFont

SetThreadpoolTimer

2,202D2T2X2\2`2h2l2t2|2

JYZR!,J

6 6@6L6T6

7@8o8

aWarning: (%s, %s): [InputString] Invalid character '%c' is used. Ignoring this 'DictionaryEntry'.DWarning: (%s, %s): '%s' is missing. Ignoring this 'DictionaryEntry'.

??1type_info@@UAE@XZ

UnhandledExceptionFilter

Php;@

;7;h;

operation in progress

D$0Wj

EventUnregister

2&2Y2

9U9r9

wcscpy_s

W0~0Y0K0

8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

7]7s7

currentContextName

GetVersionExW

RtlNtStatusToDosErrorNoTeb

suffix-town2

_wcslwr_s

?3?A?M?T?g?x?

VS_VERSION_INFO

Error: [%s] Value is missing.

=>>d>

Please uncheck this option only when the dictionary is from a vendor that you trust.

: CommentHeader%1!d!

api-ms-win-core-synch-l1-2-0.dll

</dependency>

'Dictionary'

filename too long

IconID

.CRT$XCZ

0~0W0_0

uJh8K@

G?Gpe.3PJ7#c

0L0!q

=&=7=E=

EAIME_OEDRegisterEnd

featureBaseVersion

0g0Y0

map/set<T> too long

currentContextMessage

Exception

AllowJapaneseUserDictionary

273N3h3r3x3

kernel32

Source URL

SendMessageW

n0$PL0

too_many_files_open

%2!d!

DictionaryName

Ph 7@

0*1U102I2y2

false

.data

CRYPT32.dll

PVjyW

505p5

DictionaryLanguage

SetProcessDEPPolicy

device or resource busy

PathFileExistsW

9'9:9N9

memset

1N2[2f2x2

[%hs]

4!484[4f4x4

unknown error

iswdigit

6Y7j7

2#353J3k3

result out of range

variant

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

GetProcAddress

</trustInfo>

ProductName

?8?D?d?p?

AllowJapaneseIVSCharacters

<_<s<

.?AUIImeDictAPIHeartBeat@@

RA)ks8

PhHO@

OOTYTTTV<2310*

.idata$6

'%2!s!'

2 2(2L2\2d2l2t2|2

(0x%08x)

api-ms-win-core-heap-l1-1-0.dll

verb-5-n

callerReturnAddressOffset

no such process

Name:

GetParent

707@7D7H7P7X7`7x7|7

CommentHeader%1!d!

.Microsoft IME

PathRemoveBackslashW

not_a_socket

O(ug0M0

bad_file_descriptor

FileVersion

HeapSize

FeatureError

N*NNOHr,g

.?AVlength_error@std@@

onecoreuap\windows\feime\win8\ea-shared\libraries\imemdmpolicywrapper\imemdmpolicywrapper.cpp

-nofilter

>:>V>v>

wilResult

8"9M9p9

7)869e9

zh-cn

EAIME_OEDBuildStart

bad address

9Y;p;

SVWRhPQ@

memcpy_s

operation not permitted

</dependentAssembly>

CommentHeader2

%d words

: '%s'

noun-sa

f99tCQ

.?AV?$comptr@UIDicDomainWordLexiconBuild@@@Comutil@@

ext-ms-win-devmgmt-policy-l1-1-0.dll

t.;:u

7*8;8\8v8

;<;H;h;t;

:";(;

Task ID: OED Compiler Process Header

?/?P?

peW[~{

CreateMutexExW

_pen0

.?AVerror_category@std@@

SVWQQ3

EventRegister

293V3j3

place-town

W0_0XS

??8type_info@@QBEHABV0@@Z

DeleteFileW

~h_^]

sus9!$!!

Qn0Y0y0f0n0XS

GDI32.dll

9b9m9v9|9

Software\Microsoft\Windows\CurrentVersion\Policies\System

.?AVout_of_range@std@@

DisableAllPlugInDict

[_^Sk

HeapAlloc

;7;R;c;

.?AVCConfigurationUI@@

0%1.141O1

destination address required

?$?.?<?S?_?

0S0h0L0g0M0~0Y0

%s\IMEJP

.data$brc

file exists

Description

EAIME_OEDProcessHeaderStart

8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

InternalName

B8!BB8!

(%s, %s): [InputString]

malloc

=$=L=S=`=g=

agpe:N

383D3d3p3x3

api-ms-win-core-profile-l1-1-0.dll

PPhhO@

ShxP@

.rsrc$02

1WRPQ

_unlock

iostream

t[htI@

;N;r;

9~(s2Wj

GetDC

wrong protocol type

= =(=0=8=@=H=P=X=`=h=p=x=

suffix-number

&Always show dictionary name in comment window

xmlns

6Y6`6

OLEAUT32.dll

t$,9|$Ps

adjectivalnoun

.text$di

5&5\5

~V{euP

.?AVCDictionaryEntryItems@@

originatingContextMessage

30343L3P3h3l3

.?AVIDictionaryBuilder@@

O(uW0~0[0

originCallerModule

</requestedPrivileges>

GetTempPathW

verb-euphony-k

.?AVCNodeStringItem@@

bad message

:5;b;l;

UnregisterClassA

6F6Q6Z6`6n6}6

D0~0Y0

=1=C=R=e=}=

IME_OEDRegister

GetCurrentProcessId

TWarning: (%s, %s, %s): [DictionaryEntry] Duplicate entry found. Ignoring this entry.PWarning: (%s, %s): [DictionaryEntry] Duplicate entry found. Ignoring this entry.

???G?S?

RegCreateKeyExW

EAIME_OEDBuildEnd

.rdata$zETW0

argument list too long

:5:<:^:

CreateThreadpoolTimer

host unreachable

<assemblyIdentity

place-village-son

}Microsoft IME is not installed properly. Please reinstall Microsoft IME before running the Open Extended Dictionary Compiler.;Please install MSXML6.0 from the Microsoft Download Center.

network_reset

<%1!s!>

1 1>1K1S1[1a1

DelayLoadFailureHook

Wxxx`_

language="*"

4$4,444<4D4L4T4\4d4l4t4

="=F=O=

WaitForSingleObjectEx

iostream stream error

CommentData3

= =(=<=D=L=T=h=p=

GetSystemMetrics

5N5b5

bad file descriptor

: (%s, %s, %s): [DictionaryEntry]

Keep this check box selected to minimize any negative impact on accuracy or performance.

no such device or address

imewdbld.pdb

name-organization

GetDlgItem

CryptQueryObject

:;:\:o:

GetDesktopWindow

ShP;@

xwjD^V

.CRT$XIZ

address_in_use

Z\_ZVnrs>;*

'0>0b1

2+2P2

TTdgpgT?BCCAA-

u!h\6@

8U8k8

The operation was aborted.

InitializeCriticalSectionEx

!This program cannot be run in DOS mode.

Msg:[%ws]

6.7<7

;G\u)

already connected

QArgument Error

Sh`c@

OPCOT

Error:

0hcf0

:Microsoft IME Open Extended Dictionary update confirmation

/f mr

IMSCDicCompiler.exe

USER32.dll

GetCurrentThread

Software\Microsoft\IME\15.0\SHARED\WebDictionaries\

api-ms-win-core-synch-l1-1-0.dll

7<7D7L7T7\7d7l7t7|7

'%c'

OpenSemaphoreW

2)&.2

4/4Z4e4n4t4

file too large

./child::

: [%s]

0M0`0{0

not a socket

RPWShp7@

CreateFontIndirectW

FallbackError

riiiot~{

5*5?5e5

EnterCriticalSection

D$<9|$Ps

.CRT$XCU

Vh(6@

Microsoft Pinyin IME Open Extended Dictionary Safety Settings

LoadImageW

\2052

: (%s, %s): '%s'

CryptMsgClose

SendDlgItemMessageW

PhHL@

="=H=^=

%hs(%d) tid(%x) %08X %ws

6*7W7{7

6L6S6u6|6

GetCurrentProcess

DictionaryGUID

win:Stop

5,545@5`5h5t5

_vscwprintf

fileName

3&424I4O4f4r4x4~4

_wopen

Sh@;@

=>=]=

suffix-town1

0S0n0

not a stream

LocalFree

SysLink

.?AVResultException@wil@@

4,404H4L4d4h4

</assembly>

g0M0~0Y0

:B;e;

.didat$3

)A!c!A)!

Whpa@

xQpeW[~{

Translation

L$ RW

:7:m:

prefix

conjunction

operation_not_supported

emoticon

:*:;:i:

1"2W2e2s2

WilError_02

: DictionaryInfo

0h0W0f0h

showui:

/.<\ca6"2

465_5u5

address_not_available

%d,000

=2>;>J>

0k01YWeW0~0W0_0

GetTempFileNameW

ProductVersion

:':J:

name-personal

;FH~$

adverb-ni

0 080<0T0X0\0d0l0p0x0|0

__p__commode

WebDictionary\

hwndParent

.didat$4

suffix-county

featureStage

7 8f8t8

gpeW[~{

__CxxFrameHandler3

ShowWindow

connection_refused

variantKind

_onexit

IsValidSid

3&3;3D3I3f3

.CRT$XIAA

0Bs1ABJ9Ikk!I

no_protocol_option

failureType

Windows

function not supported

PluginGUID

Cabinet.dll

94:V:a:

If you want to change the dictionary settings, click Safety settings. If you are not confident in the dictionary quality, its default settings will minimize negative effects.

hresult

3/4>4V4|4

suffix

invalid argument

=L9o<

Microsoft.Windows.Wil.FeatureLogging

EAIME_OEDCompilerEnd

no such device

Naabtz

.idata$2

/1U1x1

%1!s!

.CRT$XCL

Yu Gothic UI

>)>a>q>

Cancel

illegal byte sequence

=$=0=P=\=|=

?what@exception@@UBEPBDXZ

adjectivalnoun-taru

nTqsuu

.tls$

?B?]?x?

5)535E5b5h5q5}5

;(;4;T;\;d;p;

1 101@1D1T1X1h1l1|1

DictionaryVersion

[OK]

qc1saR

.gfids

2L4o5

Total:

u$h|J@

%hs(%d)\%hs!%p:

7-8P8r8

g0j0O0f0o0D0Q0~0[0

Operating System

adnominal

t have valid words.

vector<T> too long

@.didat

%d,000

GetModuleHandleExW

IIDFromString

PSShxP@

:M:W:]:g:

0B1x1

_cexit

fo0\O

:https://go.microsoft.com/fwlink/?LinkID=232830&clcid=0x804

_lseek

GetLocalTime

eo}jG

Y0N0~0Y0

132B2

"%s" %s

OleRun

GetLastError

4K4R4

DosDateTimeToFileTime

LogHr

_amsg_exit

=[>r>

?terminate@@YAXXZ

Microsoft

Z90)JB(

W[&{2N*Y

09c!Mc

CommentHeader1

CommandLineToArgvW

Start

8.979Z9|9

.?AVCNodeInOutputStringItem@@

;<;V;k;s;};

2v2,323

'%s'

no_buffer_space

IME_OEDCompiler

5<aP

has been created.

name="Microsoft.Windows.Common-Controls"

393u3

??1exception@@UAE@XZ

InitOnceBeginInitialize

verb-5-g

hutw|ylka

8(848<8p8

>O?[?

_wfopen_s

.?AVCDigitalSignatureInfoUI@@

IMEDMLEX

n0$P

L0i0n0

RegCloseKey

GetSystemMenu

L0+T~0

lineNumber

_vsnwprintf_s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x00021b70	0x0004ef1d	0x0004ef1d	10.0	imewdbld.pdb	1999-06-10 01:53:19	85ced23ac51cd18bbaafe23e9d922d75		aa1672d32eebd49d20c2c71138a25148	5f63cd97579b076d4e0b9200a6908ba2	74f6dce4f4d8d8c4

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft IME Open Extended Dictionary Module
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	imewdbld.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	imewdbld.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00025e50	0x00026000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.25
.data	0x00026400	0x00027000	0x00000d6c	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.72
.idata	0x00026c00	0x00028000	0x00001d7e	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.57
.didat	0x00028a00	0x0002a000	0x0000000c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.11
.rsrc	0x00028c00	0x0002b000	0x0001fa40	0x0001fc00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.94
.reloc	0x00048800	0x0004b000	0x00002388	0x00002400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.67

Name	Offset	Size	Language	Sub-language	Entropy	File type
WEVT_TEMPLATE	0x00045d50	0x000004e2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.13	None
RT_ICON	0x0002c118	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.47	None
RT_ICON	0x0002cfc0	0x00000ba8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.47	None
RT_ICON	0x0002db68	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.89	None
RT_ICON	0x0002e410	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.48	None
RT_ICON	0x0002ead8	0x00000608	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.83	None
RT_ICON	0x0002f0e0	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.19	None
RT_ICON	0x0002f648	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.39	None
RT_ICON	0x00031bf0	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.40	None
RT_ICON	0x00033658	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.23	None
RT_ICON	0x00034700	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.58	None
RT_ICON	0x00035088	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.65	None
RT_ICON	0x00035740	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.28	None
RT_ICON	0x00035c58	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.13	None
RT_ICON	0x00038200	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.18	None
RT_ICON	0x00039c68	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.71	None
RT_ICON	0x0003ad10	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.45	None
RT_ICON	0x0003b698	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.60	None
RT_ICON	0x0003bd50	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.07	None
RT_ICON	0x0003c218	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.30	None
RT_ICON	0x0003e7c0	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.36	None
RT_ICON	0x00040228	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.92	None
RT_ICON	0x000412d0	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.63	None
RT_ICON	0x00041c58	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.70	None
RT_ICON	0x00042310	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.92	None
RT_DIALOG	0x00043160	0x0000090e	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	None
RT_DIALOG	0x000441c0	0x000004ea	LANG_JAPANESE	SUBLANG_DEFAULT	5.10	None
RT_DIALOG	0x00044d18	0x000008e4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.46	None
RT_DIALOG	0x00043cf0	0x0000013c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.28	None
RT_DIALOG	0x000448c0	0x0000010a	LANG_JAPANESE	SUBLANG_DEFAULT	3.76	None
RT_DIALOG	0x00045818	0x000000fc	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.85	None
RT_DIALOG	0x00043a70	0x00000280	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.22	None
RT_DIALOG	0x000446b0	0x0000020c	LANG_JAPANESE	SUBLANG_DEFAULT	3.61	None
RT_DIALOG	0x00045600	0x00000214	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.76	None
RT_DIALOG	0x00042ba8	0x000005b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.42	None
RT_DIALOG	0x00043e30	0x00000390	LANG_JAPANESE	SUBLANG_DEFAULT	4.70	None
RT_DIALOG	0x000449d0	0x00000348	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.97	None
RT_STRING	0x00046a08	0x00000190	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.10	None
RT_STRING	0x000488b8	0x00000110	LANG_JAPANESE	SUBLANG_DEFAULT	3.88	None
RT_STRING	0x00049d08	0x000000ac	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.98	None
RT_STRING	0x00046e70	0x00000282	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.30	None
RT_STRING	0x00048c08	0x00000200	LANG_JAPANESE	SUBLANG_DEFAULT	4.49	None
RT_STRING	0x00049f50	0x0000015e	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.47	None
RT_STRING	0x000470f8	0x0000019e	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.16	None
RT_STRING	0x00048e08	0x00000128	LANG_JAPANESE	SUBLANG_DEFAULT	4.36	None
RT_STRING	0x0004a0b0	0x000000fa	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.53	None
RT_STRING	0x00047298	0x00000460	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	None
RT_STRING	0x00048f30	0x0000032a	LANG_JAPANESE	SUBLANG_DEFAULT	4.61	None
RT_STRING	0x0004a1b0	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.64	None
RT_STRING	0x000476f8	0x000004fe	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.30	None
RT_STRING	0x00049260	0x00000314	LANG_JAPANESE	SUBLANG_DEFAULT	4.66	None
RT_STRING	0x0004a438	0x0000027c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.86	None
RT_STRING	0x00046b98	0x0000016a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_STRING	0x000489c8	0x00000132	LANG_JAPANESE	SUBLANG_DEFAULT	4.06	None
RT_STRING	0x00049db8	0x000000be	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.11	None
RT_STRING	0x00046d08	0x00000168	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_STRING	0x00048b00	0x00000108	LANG_JAPANESE	SUBLANG_DEFAULT	4.12	None
RT_STRING	0x00049e78	0x000000d4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.81	None
RT_STRING	0x00046238	0x000000c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.79	None
RT_STRING	0x00048450	0x00000080	LANG_JAPANESE	SUBLANG_DEFAULT	3.46	None
RT_STRING	0x00049a20	0x00000050	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.75	None
RT_STRING	0x00046300	0x0000051c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.18	None
RT_STRING	0x000484d0	0x00000258	LANG_JAPANESE	SUBLANG_DEFAULT	5.05	None
RT_STRING	0x00049a70	0x0000017a	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.09	None
RT_STRING	0x00046820	0x00000054	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.16	None
RT_STRING	0x00048728	0x00000042	LANG_JAPANESE	SUBLANG_DEFAULT	3.08	None
RT_STRING	0x00049bf0	0x0000002e	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.18	None
RT_STRING	0x00046878	0x00000152	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.32	None
RT_STRING	0x00048770	0x0000010e	LANG_JAPANESE	SUBLANG_DEFAULT	4.93	None
RT_STRING	0x00049c20	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.11	None
RT_STRING	0x000469d0	0x00000034	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.48	None
RT_STRING	0x00048880	0x00000032	LANG_JAPANESE	SUBLANG_DEFAULT	2.18	None
RT_STRING	0x00049cd8	0x0000002a	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	1.74	None
RT_STRING	0x00047bf8	0x000000f4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.94	None
RT_STRING	0x00049578	0x0000006c	LANG_JAPANESE	SUBLANG_DEFAULT	3.76	None
RT_STRING	0x0004a6b8	0x00000054	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.17	None
RT_STRING	0x00047cf0	0x00000504	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	None
RT_STRING	0x000495e8	0x000002f6	LANG_JAPANESE	SUBLANG_DEFAULT	4.99	None
RT_STRING	0x0004a710	0x00000230	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.44	None
RT_STRING	0x000481f8	0x000000ac	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_STRING	0x000498e0	0x00000064	LANG_JAPANESE	SUBLANG_DEFAULT	3.75	None
RT_STRING	0x0004a940	0x0000004a	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.90	None
RT_STRING	0x000482a8	0x000001a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.14	None
RT_STRING	0x00049948	0x000000d2	LANG_JAPANESE	SUBLANG_DEFAULT	4.41	None
RT_STRING	0x0004a990	0x000000ae	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.95	None
RT_MESSAGETABLE	0x00045918	0x00000438	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_GROUP_ICON	0x00035ba8	0x000000ae	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_GROUP_ICON	0x0003c1b8	0x0000005a	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.94	None
RT_GROUP_ICON	0x00042778	0x0000005a	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_VERSION	0x000427d8	0x000003d0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None
RT_MANIFEST	0x0002be40	0x000002d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.82	None

Imports

Name	Address
RegOpenKeyExW	0x428000
RegQueryValueExW	0x428004
RegCloseKey	0x428008
EventWriteTransfer	0x42800c
EventRegister	0x428010
EventUnregister	0x428014
EncryptFileW	0x428018
RegCreateKeyExW	0x42801c
RegSetValueExW	0x428020
RegEnumKeyExW	0x428024
RegDeleteTreeW	0x428028
EventSetInformation	0x42802c
GetSidSubAuthority	0x428030
GetSidSubAuthorityCount	0x428034
IsValidSid	0x428038
GetTokenInformation	0x42803c
OpenProcessToken	0x428040

Name	Address
LocalAlloc	0x428098
LocalFree	0x42809c
GetTempPathW	0x4280a0
GetCommandLineW	0x4280a4
GetUserDefaultUILanguage	0x4280a8
CreateFileW	0x4280ac
GetFileTime	0x4280b0
LCMapStringW	0x4280b4
GetCurrentThread	0x4280b8
GetDateFormatW	0x4280bc
GetTimeFormatW	0x4280c0
DosDateTimeToFileTime	0x4280c4
LocalFileTimeToFileTime	0x4280c8
SetFileTime	0x4280cc
FileTimeToSystemTime	0x4280d0
SystemTimeToTzSpecificLocalTime	0x4280d4
SizeofResource	0x4280d8
SetThreadPriority	0x4280dc
FindResourceExW	0x4280e0
LoadResource	0x4280e4
GetLocalTime	0x4280e8
CreateThread	0x4280ec
GetModuleFileNameA	0x4280f0
Sleep	0x4280f4
SetFileAttributesW	0x4280f8
CopyFileW	0x4280fc
DeleteFileW	0x428100
DelayLoadFailureHook	0x428104
ResolveDelayLoadedAPI	0x428108
MoveFileExW	0x42810c
GetTempFileNameW	0x428110
CreateProcessW	0x428114
CreateThreadpoolTimer	0x428118
InitOnceComplete	0x42811c
InitOnceBeginInitialize	0x428120
GetFileAttributesW	0x428124
SetErrorMode	0x428128
ExpandEnvironmentStringsW	0x42812c
AcquireSRWLockShared	0x428130
ReleaseSRWLockShared	0x428134
SetThreadpoolTimer	0x428138
WaitForThreadpoolTimerCallbacks	0x42813c
CloseThreadpoolTimer	0x428140
GetVersionExW	0x428144
CreateSemaphoreExW	0x428148
HeapFree	0x42814c
SetLastError	0x428150
ReleaseSemaphore	0x428154
GetModuleHandleExW	0x428158
WaitForSingleObject	0x42815c
GetCurrentThreadId	0x428160
ReleaseMutex	0x428164
FormatMessageW	0x428168
GetLastError	0x42816c
OutputDebugStringW	0x428170
WaitForSingleObjectEx	0x428174
LoadLibraryW	0x428178
FreeLibrary	0x42817c
OpenSemaphoreW	0x428180
CloseHandle	0x428184
LockResource	0x428188
GetCurrentProcess	0x42818c
IsDebuggerPresent	0x428190
DebugBreak	0x428194
GetModuleHandleW	0x428198
GetProcessHeap	0x42819c
GetCurrentProcessId	0x4281a0
CreateMutexExW	0x4281a4
GetProcAddress	0x4281a8
HeapAlloc	0x4281ac

Name	Address
SelectObject	0x428088
CreateFontIndirectW	0x42808c
DeleteObject	0x428090

Name	Address
UnregisterClassA	0x42820c
EndDialog	0x428210
DialogBoxIndirectParamW	0x428214
GetDC	0x428218
GetTabbedTextExtentW	0x42821c
ReleaseDC	0x428220
MessageBoxW	0x428224
GetParent	0x428228
GetDesktopWindow	0x42822c
GetWindowRect	0x428230
CopyRect	0x428234
SetWindowPos	0x428238
SetWindowLongW	0x42823c
SendMessageW	0x428240
GetWindowLongW	0x428244
SetDlgItemTextW	0x428248
DestroyIcon	0x42824c
LoadImageW	0x428250
GetSystemMetrics	0x428254
LoadIconW	0x428258
SendDlgItemMessageW	0x42825c
ShowWindow	0x428260
SetWindowTextW	0x428264
PostMessageW	0x428268
GetDlgItem	0x42826c
EnableWindow	0x428270
EnableMenuItem	0x428274
OffsetRect	0x428278
GetSystemMenu	0x42827c

Name	Address
free	0x428330
malloc	0x428334
_wsopen_s	0x428338
wcscpy_s	0x42833c
wcsncat_s	0x428340
_read	0x428344
fclose	0x428348
_write	0x42834c
_callnewh	0x428350
_wfopen_s	0x428354
vswprintf_s	0x428358
vfwprintf	0x42835c
_close	0x428360
memmove_s	0x428364
ldiv	0x428368
wcschr	0x42836c
wcsstr	0x428370
_wcslwr_s	0x428374
_wtoi64	0x428378
??_V@YAXPAX@Z	0x42837c
_lseek	0x428380
__RTDynamicCast	0x428384
_vsnwprintf_s	0x428388
_wcsicmp	0x42838c
_wopen	0x428390
_vscwprintf	0x428394
fwprintf	0x428398
_wtoi	0x42839c
memcmp	0x4283a0
_controlfp	0x4283a4
_wcstoui64	0x4283a8
wcsncpy_s	0x4283ac
_except_handler4_common	0x4283b0
??1type_info@@UAE@XZ	0x4283b4
_vsnprintf_s	0x4283b8
??0exception@@QAE@ABV0@@Z	0x4283bc
??0exception@@QAE@XZ	0x4283c0
??1exception@@UAE@XZ	0x4283c4
_purecall	0x4283c8
memcpy_s	0x4283cc
_vsnwprintf	0x4283d0
__CxxFrameHandler3	0x4283d4
??3@YAXPAX@Z	0x4283d8
?terminate@@YAXXZ	0x4283dc
_onexit	0x4283e0
__dllonexit	0x4283e4
_unlock	0x4283e8
_lock	0x4283ec
_wcmdln	0x4283f0
__setusermatherr	0x4283f4
__p__fmode	0x4283f8
_cexit	0x4283fc
_exit	0x428400
exit	0x428404
__set_app_type	0x428408
__wgetmainargs	0x42840c
_amsg_exit	0x428410
__p__commode	0x428414
_XcptFilter	0x428418
??8type_info@@QBEHABV0@@Z	0x42841c
memmove	0x428420
wcsnlen	0x428424
wcstok_s	0x428428
memcpy	0x42842c
_CxxThrowException	0x428430
?what@exception@@UBEPBDXZ	0x428434
??0exception@@QAE@ABQBDH@Z	0x428438
??0exception@@QAE@ABQBD@Z	0x42843c
iswdigit	0x428440
_initterm	0x428444
memset	0x428448

Name	Address
CoUninitialize	0x428294
CoCreateGuid	0x428298
StringFromGUID2	0x42829c
CoCreateInstance	0x4282a0
IIDFromString	0x4282a4

Name	Address
SystemTimeToVariantTime	0x4281b4
VarBstrFromDate	0x4281b8
SysAllocStringByteLen	0x4281bc
SysStringByteLen	0x4281c0
SysStringLen	0x4281c4
VariantChangeType	0x4281c8
VariantCopy	0x4281cc
VariantClear	0x4281d0
VariantInit	0x4281d4
SysFreeString	0x4281d8
SysAllocString	0x4281dc
GetErrorInfo	0x4281e0

Name	Address

Name	Address
CommandLineToArgvW	0x428320

Name	Address
WinVerifyTrust	0x42828c

Name	Address
CryptDecodeObject	0x428050
CryptMsgGetParam	0x428054
CryptMsgClose	0x428058
CertCloseStore	0x42805c
CertFreeCertificateContext	0x428060
CertGetNameStringW	0x428064
CertFindCertificateInStore	0x428068
CryptQueryObject	0x42806c

Name	Address

Name	Address
HeapDestroy	0x4282bc
HeapSize	0x4282c0
HeapReAlloc	0x4282c4

Name	Address
DeleteCriticalSection	0x4282e8
InitializeCriticalSectionEx	0x4282ec
EnterCriticalSection	0x4282f0
LeaveCriticalSection	0x4282f4
InitializeCriticalSection	0x4282f8
AcquireSRWLockExclusive	0x4282fc
ReleaseSRWLockExclusive	0x428300

Name	Address
UnhandledExceptionFilter	0x4282ac
SetUnhandledExceptionFilter	0x4282b0
RaiseException	0x4282b4

Name	Address
CompareStringW	0x4282e0

Name	Address
TerminateProcess	0x4282cc
GetStartupInfoW	0x4282d0

Name	Address
SleepConditionVariableSRW	0x428308
WakeAllConditionVariable	0x42830c

Name	Address
QueryPerformanceCounter	0x4282d8

Name	Address
GetSystemTimeAsFileTime	0x428314
GetTickCount	0x428318

Name	Address
OleRun	0x428450
CoInitialize	0x428454

Name	Address
ShellExecuteW	0x4281e8

Name	Address
PathFindExtensionW	0x4281f4
PathRemoveBackslashW	0x4281f8
PathFindFileNameW	0x4281fc
PathRemoveExtensionW	0x428200
PathFileExistsW	0x428204

Name	Address
InitCommonControlsEx	0x428048

Name	Address
GetThemeSysFont	0x428284

Name	Address

Reports: JSON

Statistics (9.97)

Usage

Processing ( 9.91 seconds )

9.22 ProcessMemory
0.678 CAPE
0.007 AnalysisInfo
0.007 BehaviorAnalysis
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: imewdbld.pdb

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00028a00', 'virtual_address': '0x0002a000', 'virtual_size': '0x0000000c', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.11'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 2868 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

GDI32

USER32

msvcrt

api-ms-win-core-com-l1-1-0

OLEAUT32

api-ms-win-shell-shdirectory-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

WINTRUST

CRYPT32

Cabinet

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ole32

SHELL32

SHLWAPI

COMCTL32

UxTheme

profapi

Usage

Processing ( 9.91 seconds )

Signatures ( 0.05 seconds )

Reporting ( 0.01 seconds )

Signatures

Screenshots

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP