home

windows-essentials-2012-16-4-3505-0912.exe

OCSClient

CHIP Digital GmbH

The application windows-essentials-2012-16-4-3505-0912.exe by CHIP Digital GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Chip Digital OCSClient installer. The file has been seen being downloaded from go.redirectingat.com.
Publisher:
CHIP Digital GmbH  (signed and verified)

Product:
OCSClient

Version:
1.00

MD5:
02859ec8c97b6fecd8b5b088d9ccdc2f

SHA-1:
8285b36fe407d3d98f8f9863543a82e57cb8e819

SHA-256:
8cdbd26f53f54e4f34991a86cb2fd2dad1bcddb02628885a4794b8b15cf1a419

Scanner detections:
1 / 68

Status:
Potentially unwanted

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/16/2024 9:08:27 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Covus
15.2.18.17

File size:
598.8 KB (613,200 bytes)

Product version:
1.00

Original file name:
ocsclient.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Chip Digital OCSClient

Language:
English (United States)

Common path:
C:\users\{user}\downloads\windows-essentials-2012-16-4-3505-0912.exe

Digital Signature
Signed by:
CHIP Digital GmbH

Authority:
Thawte, Inc.

Valid from:
2/25/2014 5:30:00 AM

Valid to:
2/26/2015 5:29:59 AM

Subject:
CN=CHIP Digital GmbH, O=CHIP Digital GmbH, L=Muenchen, S=Bayern, C=DE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
0D160B8252A4F0A16FE1255FA0A22E2B

File PE Metadata
Compilation timestamp:
11/27/2013 5:58:37 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:3KWlw1Dx+dASQFfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2k:37lw1Dx65QFfXeYU43fiysgfBnnl2k

Entry address:
0x1620

Entry point:
68, 08, F6, 40, 00, E8, EE, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, EF, 4E, 90, D9, AA, 0A, CD, 43, 91, 50, 46, 79, E4, 37, D4, 82, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 4F, 43, 53, 43, 6C, 69, 65, 6E, 74, 00, 6E, 64, 72, 65, 5C, 44, 00, 00, 00, 00, FF, CC, 31, 00, 03, 23, 5A, 55, 3A, 3C, E0, 07, 47, B3, 35, 82, 3C, 05, 78, AE, A7, 47, FF, BF, 0B, 62, DE, 67, 44, A8, 40, C9, 76, C0, F9, 23, 95, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00...
 
[+]

Entropy:
6.0817

Developed / compiled with:
Microsoft Visual Basic v5.0

Code size:
96 KB (98,304 bytes)

The file windows-essentials-2012-16-4-3505-0912.exe has been seen being distributed by the following URL.

http://go.redirectingat.com/?id=92X363&site=techradar.com&xs=1&isjs=1&url=https://secure.download-sponsor.de/?pid=techradar&cid=180768178&xguid=acf13cafd07c0c60e4ea6f08d3c0c461&xcreo=0&sref=http://www.techradar.com/news/software/.../20-windows-7-free-apps-to-download-today-648954/2#articleContent&pref=http://www.techradar.com/news/software/.../20-windows-7-free-apps-to-download-today-648954&xtz=-330

Remove windows-essentials-2012-16-4-3505-0912.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.