File name:

PixillionBildkonverter.exe

Full analysis: https://app.any.run/tasks/df87aa24-2dfe-41c1-b8f0-294f6abe61f0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 16, 2024, 09:46:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

853E48A8CF730429EAD7D59CEAA81794

SHA1:

2EFD47934026EE0E713051E5E1CF9A206DADAE3C

SHA256:

A97ABD7BACFD14323E29B988065D9F6FBB134935F616BB983A3A8FC607CAEE64

SSDEEP:

98304:U9uSBln7aGdQy7sA4avC8SYohz+MGnFK8sLw65znHA9n7P7a70PlcmoZUSP4TfoK:FfeS2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 2752)
      • nchsetup.exe (PID: 2952)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)

    • Reads security settings of Internet Explorer

      • PixillionBildkonverter.exe (PID: 3208)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)

    • Reads the Internet Settings

      • PixillionBildkonverter.exe (PID: 3208)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)

    • Starts itself from another location

      • nchsetup.exe (PID: 2952)

    • Process requests binary or script from the Internet

      • nchsetup.exe (PID: 2752)

    • Potential Corporate Privacy Violation

      • nchsetup.exe (PID: 2752)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 2952)

    • Searches for installed software

      • nchsetup.exe (PID: 2952)

  • INFO

    • Checks supported languages

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)
      • pixillion.exe (PID: 3364)
      • pixillion.exe (PID: 3652)

    • Reads the computer name

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • pixillion.exe (PID: 3364)
      • pixillion.exe (PID: 3652)

    • Create files in a temporary directory

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • freetype.exe (PID: 3164)
      • pixillion.exe (PID: 3652)

    • Creates files in the program directory

      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)

    • Reads the machine GUID from the registry

      • pixillion.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:26 00:01:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 2101760
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: Pixillion Bildkonverter
FileVersion: 12.37DE+
ProductVersion: 12.37DE+
ProductName: Pixillion
LegalCopyright: NCH Software
InternalName: Pixillion
OriginalFileName: Pixillion.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pixillionbildkonverter.exe nchsetup.exe installer.exe nchsetup.exe freetype.exe pixillion.exe no specs pixillion.exe no specs pixillionbildkonverter.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540C:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exeC:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exe
nchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\users\admin\appdata\local\temp\pixillion-2748-2\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2752"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
PixillionBildkonverter.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Bildkonverter
Exit code:
2
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2952"C:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n2s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exe
Installer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\users\admin\appdata\local\temp\n2s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3164"C:\Program Files\NCH Software\Pixillion\freetype.exe" -LQUIET -instby fiPixillion -instsvar PIXILLIONRelatedprogramsfreeonC:\Program Files\NCH Software\Pixillion\freetype.exe
nchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\pixillion\freetype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3208"C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe
explorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Bildkonverter
Exit code:
2
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\pixillionbildkonverter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3364"C:\Program Files\NCH Software\Pixillion\pixillion.exe" -installschedC:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3392"C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Bildkonverter
Exit code:
3221226540
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\pixillionbildkonverter.exe
c:\windows\system32\ntdll.dll
3652"C:\Program Files\NCH Software\Pixillion\pixillion.exe"C:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Version:
12.34
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
8 121
Read events
7 438
Write events
661
Delete events
22

Modification events

(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:writeName:SVar
Value:
PIXILLIONShowoutfilesize2on
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:InstallerDomain
Value:
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:_InstallerDomain
Value:
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:SVar
Value:
PIXILLIONShowoutfilesize2on
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:PixillionInstall
Value:
C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:writeName:SVar
Value:
PIXILLIONRelatedprogramspaidon
Executable files
10
Suspicious files
31
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3208PixillionBildkonverter.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:AF9F800FB5D44CAB11CC931C6E14F5E8
SHA256:99079C0CD004DE20660B22260F4CFF108167C52686A3EB22196F93F483B0C1BE
3208PixillionBildkonverter.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:3727F6B3A750BD350274439714040A4D
SHA256:F5B1DB638681260087F0F8E23350A10E484DD4B64CC6D270ACF5AEB11F6A487C
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchdata.datexecutable
MD5:D70A6FA41B8EDB19A8B5FFAF9F9DDF1F
SHA256:48FB3AC2C006120E490434A3307A2085D9A5AC9169F07A474EA72BA6E3033FD3
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchsetup.cabcompressed
MD5:3AE1058AB9B0C71A3D62E594FC1BC8FA
SHA256:39E3FE0CBB27036FA1C8D0A0EE867889868CA7BCCCDE6DC46B97E5922E46DE3C
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchdata.cabcompressed
MD5:5240738EB1C1A9684A4BA700AB45D261
SHA256:F5E47AF1A8C8337253B60B20A96CA65B6A0BD9063990CF6CA3D70048F542245D
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exeexecutable
MD5:CFC411DD91DA409FCD985284A5777A7D
SHA256:5F36CCA3C97D88BAA1F681C318F435885C4B18543DB74E179086329C0D353D60
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenu.dllexecutable
MD5:978D86914F9A327E2143709DDE4B2DF5
SHA256:0CB46C9B8AD7C3EAFB886A5FF9D437E7F688E4434AF708E4322B0A76CAC38BB5
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenua.msixcompressed
MD5:981FCB4B412C54D01CDBA73D0E7FF667
SHA256:BE2BF65D3EA06F6BDDCC452E339CA4450133B656D677904FE0A1565C7A917694
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\pixillion.exeexecutable
MD5:CFC411DD91DA409FCD985284A5777A7D
SHA256:5F36CCA3C97D88BAA1F681C318F435885C4B18543DB74E179086329C0D353D60
2752nchsetup.exeC:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exeexecutable
MD5:2F977D83DDD5959CCF27A3CCE89548B3
SHA256:48E19B7C74F25638AFF3157DF11994A167587B775B2F6783759EB14749A4A4E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2752
nchsetup.exe
GET
200
66.39.83.155:80
http://www.nchsoftware.com/imageconverter/pixsetup.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
2752
nchsetup.exe
66.39.83.155:80
www.nchsoftware.com
PAIR-NETWORKS
US
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
www.nchsoftware.com
  • 66.39.83.155
  • 198.84.119.122
  • 54.149.5.211
malicious
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
secure.nch.com.au
  • 173.247.253.164
unknown

Threats

PID
Process
Class
Message
2752
nchsetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2752
nchsetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PixillionBildkonverter.exe