× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e
File name: _isdel.exe
Detection ratio: 0 / 44
Analysis date: 2012-11-02 13:20:45 UTC ( 6 years, 4 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
AVG 20121031
Yandex 20121031
AhnLab-V3 20121031
AntiVir 20121031
Antiy-AVL 20121027
Avast 20121031
BitDefender 20121031
ByteHero 20121101
CAT-QuickHeal 20121031
ClamAV 20121031
Commtouch 20121031
Comodo 20121031
DrWeb 20121031
ESET-NOD32 20121031
Emsisoft 20121031
F-Prot 20121030
F-Secure 20121031
Fortinet 20121031
GData 20121031
Ikarus 20121031
Jiangmin 20121031
K7AntiVirus 20121031
Kaspersky 20121031
Kingsoft 20121028
McAfee 20121031
McAfee-GW-Edition 20121031
eScan 20121031
Microsoft 20121031
Norman 20121031
PCTools 20121031
Panda 20121031
Rising 20121031
SUPERAntiSpyware 20121031
Sophos AV 20121031
Symantec 20121031
TheHacker 20121031
TotalDefense 20121031
TrendMicro 20121031
TrendMicro-HouseCall 20121031
VBA32 20121030
VIPRE 20121031
ViRobot 20121031
eSafe 20121028
nProtect 20121031
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright© 1990-1998 InstallShield Software Corporation, Phone: (847) 240-9111

Product InstallShield®
File version 5, 51, 138, 0
Description 32-bit InstallShield Deleter.
Signature verification Signed file, verified signature
Signing date 4:17 AM 7/14/2009
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 08:39 PM 10/22/2008
Valid to 08:49 PM 01/22/2010
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 018B222E21FBB2952304D04D1D87F736ED46DEA4
Serial number 61 01 C6 C1 00 00 00 00 00 07
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 09:55 PM 09/15/2005
Valid to 10:05 PM 03/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 10:03 PM 06/05/2007
Valid to 10:13 PM 06/05/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 80B9915817340CEE66D71EC27DA5F96EBF8D94D8
Serial number 61 04 CA 69 00 00 00 00 00 08
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:53 PM 04/03/2007
Valid to 01:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Packers identified
PEiD InstallShield 2000
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1998-10-27 19:06:49
Entry Point 0x000017C0
Number of sections 4
PE sections
PE imports
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
lstrcmpiA
GetOEMCP
LCMapStringA
HeapDestroy
GetTickCount
GetEnvironmentStringsW
LoadLibraryA
RtlUnwind
RemoveDirectoryA
FreeEnvironmentStringsA
GetStartupInfoA
GetEnvironmentStrings
GetPrivateProfileStringA
WritePrivateProfileStringA
lstrcatA
GetPrivateProfileIntA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
SetErrorMode
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
ExitProcess
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
lstrcpyA
GetCurrentProcess
CloseHandle
GetACP
GetStringTypeW
TerminateProcess
GetModuleFileNameA
HeapCreate
WriteFile
VirtualFree
Sleep
GetFileType
CreateFileA
HeapAlloc
GetVersion
VirtualAlloc
SetCurrentDirectoryA
wsprintfA
GetSystemMetrics
SetTimer
IsWindow
LoadIconA
TranslateMessage
GetMessageA
DispatchMessageA
PostQuitMessage
CharNextA
SendMessageA
CreateWindowExA
RegisterWindowMessageA
DefWindowProcA
LoadCursorA
RegisterClassA
PE exports
Number of PE resources by type
RT_STRING 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
5.1

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
5.51.138.0

LanguageCode
English (U.S.)

FileFlagsMask
0x0002

FileDescription
32-bit InstallShield Deleter.

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Windows, Latin1

InitializedDataSize
16896

EntryPoint
0x17c0

MIMEType
application/octet-stream

LegalCopyright
Copyright 1990-1998 InstallShield Software Corporation, Phone: (847) 240-9111

FileVersion
5, 51, 138, 0

TimeStamp
1998:10:27 20:06:49+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
5, 51

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows 16-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
InstallShield Software Corporation

CodeSize
12288

ProductName
InstallShield

ProductVersionNumber
5.51.138.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 9d4ec4b71fd189a0b2c4dbd6aade16bf
SHA1 0e7bb331d398be694a92a823de839fefdf464dfd
SHA256 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e
ssdeep
384:m3wIA7GjPE6nnP9TDWsKAkk/fG8+lmQP+0JSfgyz:QwIA7Q7tDUAdnemQVSfg

authentihash 499342a59aaff1c1ac5f1ba1e0967c1ea21963505baa43c841c16b02f5f3a186
imphash af417a432744d25669a269c31c292485
File size 27.0 KB ( 27648 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe nsrl installshield signed trusted

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with _isdel.exe as its name.
VirusTotal metadata
First submission 2009-07-07 20:43:11 UTC ( 9 years, 8 months ago )
Last submission 2019-03-10 17:15:48 UTC ( 2 weeks ago )
File names vs8610ci.ge7
vs8816ec.71a
15292.tmp
_isdel.exe
vs060u0s.nfc
9d4ec4b71fd189a0b2c4dbd6aade16bf
_isdel.exe
vsg81li5.4l3
w_isdel.exe.new
vsr506jh.cft
vstl1om1.74t
vskd0gij.su1
myfile.exe
_isdel.exe
19943
_isdel.exe
vsa20hkc.ppq
vsjq1vp6.fmc
vsp91uli.nod
vso6098s.j8e
vsqi0n8i.m4d
7d886dfd06c841749c9046b069e9f6797da79829.exe
vsjq1p4o.4cu
0589b65.tmpscan
_isdel.exe
National Software Reference Library (NIST)
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a reference data set of information. This file was found in the NSRL dataset, in the following products and with the following file names.
Products MSDN Disc 2455.6 (Microsoft)
MSDN Disc 2974 (Microsoft)
MSDN Disc 2973 (Microsoft)
MSDN Disc 2942 (Microsoft)
MSDN Disc 2428.8 (Microsoft)
MSDN 2939 (Microsoft)
MSDN Disc 2939.2 (Microsoft)
MSDN Disc 2939.3 (Microsoft)
MSDN Disc 2939.4 (Microsoft)
File names w_isdel.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!