dmr_72.exe

CHIP Secured Installer

CHIP Digital GmbH

The application dmr_72.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Covus installer. While running, it connects to the Internet address ocs1.chdi-server.de on port 443.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
CHIP Secured Installer

Version:
2.1.4.4

MD5:
d2731d6a0df7de11fdaa97324d9cf441

SHA-1:
be01761e55b4d67abbea5b942f7928f192eacae8

SHA-256:
5c6d2335c09d95442f681cf58c6010287b241054c1ce9497f04b1504550e4661

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/24/2024 5:18:16 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler (M)
17.2.7.14

File size:
519 KB (531,464 bytes)

Product version:
2.1.4.4

Copyright:
Copyright © 2017 Chip Digital GmbH

Trademarks:
CHIP Secured Installer

Original file name:
DMR.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dmr_72.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/23/2016 5:00:00 PM

Valid to:
6/24/2017 4:59:59 PM

Subject:
CN=CHIP Digital GmbH, OU=Download Development, O=CHIP Digital GmbH, STREET=St.-Martin-Straße 66, L=Munich, S=Bavaria, PostalCode=81541, C=DE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4458F57433331C8DFF7CD49578031066

File PE Metadata
Compilation timestamp:
2/7/2017 5:57:36 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x7EA1E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.7171

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
499 KB (510,976 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www2.chdi-server.de  (5.9.198.83:80)

TCP (HTTP):
Connects to www1.chdi-server.de  (176.9.97.244:80)

TCP (HTTP):
Connects to ocs2.chdi-server.de  (5.9.116.27:8080)

TCP (HTTP):
Connects to static.84.198.9.5.clients.your-server.de  (5.9.198.84:80)

TCP (HTTP):
Connects to static.245.97.9.176.clients.your-server.de  (176.9.97.245:80)

TCP (HTTP):
Connects to ocs1.chdi-server.de  (5.9.175.19:80)

TCP (HTTP):
Connects to ocs3.chdi-server.de  (5.9.176.3:8080)

TCP (HTTP):
Connects to dhcp-192-223-201.in2cable.com  (203.192.223.201:80)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (148.251.198.118:80)

TCP (HTTP):
Connects to server-52-85-167-109.gig50.r.cloudfront.net  (52.85.167.109:80)

TCP (HTTP):
Connects to m194-mp1.cvx2-c.lng.dial.ntli.net  (62.252.188.194:80)

TCP (HTTP):
Connects to host213-123-252-81.in-addr.btopenworld.com  (213.123.252.81:80)

TCP (HTTP):
Connects to host-213.158.175.75.tedata.net  (213.158.175.75:80)

TCP (HTTP):
Connects to ec2-52-45-84-141.compute-1.amazonaws.com  (52.45.84.141:80)

TCP (HTTP SSL):
Connects to ec2-34-196-191-121.compute-1.amazonaws.com  (34.196.191.121:443)

TCP (HTTP):
Connects to akamai-cdn-193-120-1-16.cwt.btireland.net  (193.120.1.16:80)

TCP (HTTP):

TCP (HTTP):
Connects to a201-016-134-042.deploy.akamaitechnologies.com  (201.16.134.42:80)

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

Remove dmr_72.exe - Powered by Reason Core Security