MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned rare binary flagged by one tier-1 engine for process injection; 70 peers silent; mixed signals warrant caution.

Trust score52Caution
MT AI confidence · 58%
chickenchips.exe
133.0 KB
4d4b158f3a7ab1908b431707f656
Antivirus engines
1 of 75 flagged
Code signing
Unsigned
Age
First seen 10 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

58%Confidence
Moderate
Reasoning

The file presents a mixed-signal profile. Symantec's detection of 'ML.Attribute.HighConfidence' on an unsigned rare binary is noteworthy, and the observed process-injection technique (T1055) is a known evasion tactic. However, the lack of tier-1 consensus (only 1 engine, not ≥3), absence of malicious sandbox verdicts, zero contacted malicious hosts, and silence from 70 other engines—including high-trust peers like Kaspersky, BitDefender, and ESET—suggest either a false positive or a low-confidence detection. The file's newness (10 days, 1 submitter) and absence of external-intel corroboration (no YARA rules, no CIRCL entry, no MalwareBazaar family) further weaken confidence. Process injection alone does not prove malice; legitimate tools and security software use it. The evidence is insufficient for a malicious verdict but too concerning for a safe rating.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. Symantec (tier-1) flagged 'ML.Attribute.HighConfidence' — generic ML label, 1 engine only; tier1FamilyConsensus.strong=false (1 engine, not ≥3)

  2. behaviour.offensiveTechniques=[T1055] (Process Injection); triggeredHeuristics 'MalwareTips.Synth.ProcessInjection' fired with severity=high

  3. signing.verified=false; unsigned; prevalence.classification='rare_new' (1 submitter, 10 days); no signer history

  4. behaviour.hasMaliciousSandboxVerdict=false; contactedHosts.maliciousHosts=none; droppedChildren.hasMaliciousChild=false

  5. externalIntel: yaraify.ruleCount=0, circl.hit=false, malwareBazaar.hit=false; similarHashes=[] (no RAG grounding)

Points in its favour
  • 70/71 antivirus engines (including tier-1 peers) reported clean or undetected
  • No malicious sandbox verdict recorded
  • No malicious contacted hosts or domains
  • No malicious dropped children
  • PE binary structure not packed or high-entropy obfuscated
Points against
  • Unsigned executable with no publisher history
  • Process injection (T1055) observed — evasion technique
  • Rare and newly submitted (10 days old, 1 submitter)
  • Generic machine-learning detection label (not a named family)
  • No external-researcher corroboration (zero YARA rules, no CIRCL/MalwareBazaar hits)
What to do

Treat this file as suspicious and avoid execution in production environments. If you must analyse it, use an isolated sandbox or dedicated malware-analysis workstation. Consider submitting it to your security team or antivirus vendor for manual review to clarify the process-injection activity.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
5

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1055T1071T1129
Spawned processes
3
$(unnamed)
"C:\Users\<USER>\Desktop\chickenchips.exe"
$(unnamed)
"C:\Users\user\Desktop\chickenchips.exe"
$(unnamed)
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Filesystem & mutexes
1
Files written1
  • \Device\ConDrv\\Connect
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis
MITRE ATT&CK profile
Defense evasion× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjection
    T1055
    high

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Users\<USER>\Desktop\chickenchips.exe"
Antivirus engine breakdown

1 detection across 75 engines

1 malicious0 suspicious74 clean
Tier-117 engines
1flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
Symantec
malicious
ML.Attribute.HighConfidence
Hash 4d4b158f3a7a… cross-referenced against 75 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 3.60Unpacked
Section entropy10 sections
.text
5.71
.data
0.60
.rdata
4.85
.pdata
2.29
.xdata
3.28
.bss
0.00
.idata
3.62
.tls
0.00
.rsrc
4.78
.reloc
1.25
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new
Unique uploaders
1
Very few people have ever uploaded this — rare.
Total submissions
3
Includes repeat uploads by the same source.
First seen by VT
9d ago
May 31, 2026
Prevalence quadrant
here
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/31/2026, 3:51:06 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/7/2026, 3:51:24 AM
Scanned here
6/9/2026, 4:16:20 PM
File name
chickenchips.exe
Size
133.0 KB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
4d4b158f3a7ab1908b2a660a898ff0d418fbbb653cbb6c0c95aa16431707f656
MD5
42d749ab7bfb9b50068b50f81c059a88
SHA-1
926faaa019b1f959b9cd9b76037f994e3412c206
PE imphash
f812b6d9ad694e5720ce4d929b8ef30b
First seen (VT)
5/31/2026, 3:51:06 AM
Last analysis (VT)
6/7/2026, 3:51:24 AM
First scan (MalwareTips)
6/9/2026, 4:16:20 PM
Last scan (MalwareTips)
6/9/2026, 4:16:20 PM
Behavior tags
peexe64bitsoverlay
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.