home

dmr_72.exe

CHIP Secured Installer

CHIP Digital GmbH

The application dmr_72.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Covus installer. While running, it connects to the Internet address ocs2.chdi-server.de on port 8080.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
CHIP Secured Installer

Version:
2.1.4.4

MD5:
45685d3339346bf4b04a0aaa9c62d3eb

SHA-1:
33db0c039b171c81d65a1dfe4dc117e5e9c7d1b2

SHA-256:
b041aefef7a5a204c6230f0ac9a01558f56b7dbb90a88478f920930859efb33d

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/20/2024 9:13:34 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ChipDigital.Bundler (M)
17.1.24.14

File size:
518 KB (530,440 bytes)

Product version:
2.1.4.4

Copyright:
Copyright © 2017 Chip Digital GmbH

Trademarks:
CHIP Secured Installer

Original file name:
DMR.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Covus

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dmr_72.exe

Digital Signature
Signed by:
CHIP Digital GmbH

Authority:
COMODO CA Limited

Valid from:
6/24/2016 2:00:00 AM

Valid to:
6/25/2017 1:59:59 AM

Subject:
CN=CHIP Digital GmbH, OU=Download Development, O=CHIP Digital GmbH, STREET=St.-Martin-Straße 66, L=Munich, S=Bavaria, PostalCode=81541, C=DE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
4458F57433331C8DFF7CD49578031066

File PE Metadata
Compilation timestamp:
1/24/2017 1:39:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x7E7AE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, EE, 4A, 87, 58, 00, 00, 00, 00, 02, 00, 00, 00, 1C, 01, 00, 00, 1C, 00, 08, 00, 1C, CC, 07, 00, 52, 53, 44, 53, 41, 95, AE, 59, D7, 03, 1D, 47, 8F, 72, 39, 05, 80, 80...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
498 KB (509,952 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ocs2.chdi-server.de  (5.9.116.27:8080)

TCP (HTTP):
Connects to www1.chdi-server.de  (176.9.97.244:80)

TCP (HTTP):
Connects to www2.chdi-server.de  (5.9.198.83:80)

TCP (HTTP):
Connects to ocs3.chdi-server.de  (5.9.176.3:80)

TCP (HTTP):
Connects to www1.thinklabs-cluster.de  (148.251.198.118:80)

TCP (HTTP):
Connects to static.245.97.9.176.clients.your-server.de  (176.9.97.245:80)

TCP (HTTP):
Connects to ocs1.chdi-server.de  (5.9.175.19:80)

TCP (HTTP):
Connects to a104-103-72-208.deploy.static.akamaitechnologies.com  (104.103.72.208:80)

TCP (HTTP):
Connects to a104-103-72-193.deploy.static.akamaitechnologies.com  (104.103.72.193:80)

TCP (HTTP):
Connects to a104-103-72-178.deploy.static.akamaitechnologies.com  (104.103.72.178:80)

TCP (HTTP):
Connects to a104-103-72-144.deploy.static.akamaitechnologies.com  (104.103.72.144:80)

TCP (HTTP):
Connects to www2.thinklabs-cluster.de  (148.251.198.119:80)

TCP (HTTP):
Connects to server-54-239-220-54.ewr50.r.cloudfront.net  (54.239.220.54:80)

TCP (HTTP SSL):
Connects to server-54-192-159-90.sin3.r.cloudfront.net  (54.192.159.90:443)

TCP (HTTP SSL):
Connects to server-54-192-159-230.sin3.r.cloudfront.net  (54.192.159.230:443)

TCP (HTTP SSL):
Connects to server-54-192-159-132.sin3.r.cloudfront.net  (54.192.159.132:443)

TCP (HTTP SSL):
Connects to server-54-192-159-106.sin3.r.cloudfront.net  (54.192.159.106:443)

TCP (HTTP):
Connects to server-54-182-217-94.ams53.r.cloudfront.net  (54.182.217.94:80)

TCP (HTTP):
Connects to a95-101-89-72.deploy.akamaitechnologies.com  (95.101.89.72:80)

TCP (HTTP):
Connects to a72-247-184-17.deploy.akamaitechnologies.com  (72.247.184.17:80)

Remove dmr_72.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.