File name:

pixsetup.exe

Full analysis: https://app.any.run/tasks/ee113b11-2aea-4b95-8282-b0dc454f2c8a
Verdict: Malicious activity
Analysis date: December 13, 2023, 14:49:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

974CAA96CC071DF636FEDC861F008D3D

SHA1:

F9F4922854A2A2E15DCAAF8373263A3562216A68

SHA256:

097983C72AD528F34057C87C08D5C4B66373EE8EFA2F2E6AC418B37DBEEEBB83

SSDEEP:

98304:3qg5fc9gqO4u6Xwor4GWQL3Djssj6gpnE2W6ome3ZbYrntarptKh16XmT39dLo3j:vr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pixsetup.exe (PID: 1840)
      • nchsetup.exe (PID: 2424)
      • freetype.exe (PID: 2336)

  • SUSPICIOUS

    • Reads the Internet Settings

      • pixsetup.exe (PID: 1840)
      • nchsetup.exe (PID: 2424)
      • pixillion.exe (PID: 4036)

    • Searches for installed software

      • nchsetup.exe (PID: 2424)

    • Starts itself from another location

      • nchsetup.exe (PID: 2424)

  • INFO

    • Checks supported languages

      • pixsetup.exe (PID: 1840)
      • nchsetup.exe (PID: 2424)
      • freetype.exe (PID: 2336)
      • pixillion.exe (PID: 2716)
      • wmpnscfg.exe (PID: 3344)
      • pixillion.exe (PID: 4036)

    • Create files in a temporary directory

      • pixsetup.exe (PID: 1840)
      • freetype.exe (PID: 2336)
      • pixillion.exe (PID: 4036)

    • Reads the computer name

      • nchsetup.exe (PID: 2424)
      • pixsetup.exe (PID: 1840)
      • pixillion.exe (PID: 4036)
      • pixillion.exe (PID: 2716)
      • wmpnscfg.exe (PID: 3344)

    • Creates files in the program directory

      • nchsetup.exe (PID: 2424)
      • freetype.exe (PID: 2336)

    • Reads the machine GUID from the registry

      • pixillion.exe (PID: 4036)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:21 07:45:58+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 2078208
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: Pixillion Image Converter
FileVersion: 11.62+
ProductVersion: 11.62+
ProductName: Pixillion
LegalCopyright: NCH Software
InternalName: Pixillion
OriginalFileName: Pixillion.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pixsetup.exe nchsetup.exe freetype.exe no specs wmpnscfg.exe no specs pixillion.exe no specs pixillion.exe no specs PhotoViewer.dll no specs pixsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Users\admin\AppData\Local\Temp\pixsetup.exe" C:\Users\admin\AppData\Local\Temp\pixsetup.exe
explorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
11.62+
Modules
Images
c:\users\admin\appdata\local\temp\pixsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1864"C:\Users\admin\AppData\Local\Temp\pixsetup.exe" C:\Users\admin\AppData\Local\Temp\pixsetup.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Exit code:
3221226540
Version:
11.62+
Modules
Images
c:\users\admin\appdata\local\temp\pixsetup.exe
c:\windows\system32\ntdll.dll
2224C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2336"C:\Program Files\NCH Software\Pixillion\freetype.exe" -LQUIET -instby fiPixillion -instsvar PIXILLIONRelatedprogramspaidoffLLIBInstquickoffC:\Program Files\NCH Software\Pixillion\freetype.exenchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\pixillion\freetype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2424"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\pixsetup.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
pixsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
11.62+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2716"C:\Program Files\NCH Software\Pixillion\pixillion.exe" -installschedC:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Exit code:
0
Version:
11.62+
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3344"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4036"C:\Program Files\NCH Software\Pixillion\pixillion.exe"C:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Exit code:
0
Version:
11.62+
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
5 371
Read events
5 088
Write events
279
Delete events
4

Modification events

(PID) Process:(1840) pixsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1840) pixsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1840) pixsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1840) pixsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:SVar
Value:
PIXILLIONShowoutfilesize2on
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:writeName:SVar
Value:
PIXILLIONRelatedprogramspaidoff
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2424) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
7
Suspicious files
30
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2336freetype.exeC:\Users\admin\AppData\Local\Temp\freetype_.cabcompressed
MD5:B543F65A5CFC0342E857053BFB901DA6
SHA256:EF5429418FF01885E4F3BEB0E02AF64471A87997D1D34D3B94D250B25002CB2D
1840pixsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.datexecutable
MD5:8ECB610A60CAAFBB5A41DE462D5807A8
SHA256:D01B0CB6C631CC7212DACF82FCD5C8D4522A10F2B72E680E899C978EACDBC74C
1840pixsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:CE36227AFA685923D4600B50F77F521B
SHA256:5EC55A83F120EB19201612F1DCAFFB56700AD29C9B39C0FF909B5E8DCE682029
1840pixsetup.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:5BF2B28C8356BC9802F4A12F107D5235
SHA256:860241BF6A62105354D29F9F4E4694957819E0DCB08A5F0B3A4B14BDB04C1CFD
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenu.dllexecutable
MD5:69AB93F53EAD4E260F7031F11D192572
SHA256:250D610A7903192F85A24C1484FD3684D45DBEDD9A45502AF29F9FDB3116E01B
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\pixillion.exeexecutable
MD5:CE36227AFA685923D4600B50F77F521B
SHA256:5EC55A83F120EB19201612F1DCAFFB56700AD29C9B39C0FF909B5E8DCE682029
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenua.msixcompressed
MD5:576BD880B25B08ED08204F340ACF4436
SHA256:42E5E79515167AED74265C09BE30228CBE3EA838AB65E393F74C0ECE8BA4278B
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\freetype.exeexecutable
MD5:9D922FF98AB5EF728BF482A46C565647
SHA256:946EC5E46E155101DA5A5E8B03AAAFB4F0359EFA437A99AE38D395763E73BCCF
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\superresolution.nnbinary
MD5:44C554286E70AD597BA03CAE562DF365
SHA256:B80576E3A39238DA26FBCA141F6D15211AA5AE82558B92DC0CA96A434A8C1C05
2424nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenub.msixcompressed
MD5:FA67924B73FC3714143CF8D2E904D6E5
SHA256:40E99E3A03931CD993F3497CF12773E691488CD176CBEE6A65926DE9FDA7A515
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2424
nchsetup.exe
173.247.253.164:443
secure.nch.com.au
INMOTION
US
unknown

DNS requests

Domain
IP
Reputation
secure.nch.com.au
  • 173.247.253.164
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pixsetup.exe