File name:

PixillionBildkonverter.exe

Full analysis: https://app.any.run/tasks/df87aa24-2dfe-41c1-b8f0-294f6abe61f0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 16, 2024, 09:46:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

853E48A8CF730429EAD7D59CEAA81794

SHA1:

2EFD47934026EE0E713051E5E1CF9A206DADAE3C

SHA256:

A97ABD7BACFD14323E29B988065D9F6FBB134935F616BB983A3A8FC607CAEE64

SSDEEP:

98304:U9uSBln7aGdQy7sA4avC8SYohz+MGnFK8sLw65znHA9n7P7a70PlcmoZUSP4TfoK:FfeS2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • freetype.exe (PID: 3164)
      • nchsetup.exe (PID: 2952)

    • Changes the autorun value in the registry

      • nchsetup.exe (PID: 2752)
      • nchsetup.exe (PID: 2952)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)

    • Reads security settings of Internet Explorer

      • PixillionBildkonverter.exe (PID: 3208)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)

    • Reads the Internet Settings

      • PixillionBildkonverter.exe (PID: 3208)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)

    • Potential Corporate Privacy Violation

      • nchsetup.exe (PID: 2752)

    • Process requests binary or script from the Internet

      • nchsetup.exe (PID: 2752)

    • Creates a software uninstall entry

      • nchsetup.exe (PID: 2952)

    • Searches for installed software

      • nchsetup.exe (PID: 2952)

    • Starts itself from another location

      • nchsetup.exe (PID: 2952)

  • INFO

    • Create files in a temporary directory

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • freetype.exe (PID: 3164)
      • pixillion.exe (PID: 3652)

    • Reads the computer name

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • nchsetup.exe (PID: 2952)
      • pixillion.exe (PID: 3364)
      • pixillion.exe (PID: 3652)

    • Checks supported languages

      • PixillionBildkonverter.exe (PID: 3208)
      • nchsetup.exe (PID: 2752)
      • Installer.exe (PID: 540)
      • freetype.exe (PID: 3164)
      • nchsetup.exe (PID: 2952)
      • pixillion.exe (PID: 3652)
      • pixillion.exe (PID: 3364)

    • Creates files in the program directory

      • nchsetup.exe (PID: 2952)
      • freetype.exe (PID: 3164)

    • Reads the machine GUID from the registry

      • pixillion.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:26 00:01:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 2560
InitializedDataSize: 2101760
UninitializedDataSize: -
EntryPoint: 0x1286
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: Pixillion Bildkonverter
FileVersion: 12.37DE+
ProductVersion: 12.37DE+
ProductName: Pixillion
LegalCopyright: NCH Software
InternalName: Pixillion
OriginalFileName: Pixillion.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pixillionbildkonverter.exe nchsetup.exe installer.exe nchsetup.exe freetype.exe pixillion.exe no specs pixillion.exe no specs pixillionbildkonverter.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540C:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exeC:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exe
nchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\users\admin\appdata\local\temp\pixillion-2748-2\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2752"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n1s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exe
PixillionBildkonverter.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Bildkonverter
Exit code:
2
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\n1s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2952"C:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exe" -installer "C:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exe" -instdata "C:\Users\admin\AppData\Local\Temp\n2s\nchdata.dat"C:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exe
Installer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\users\admin\appdata\local\temp\n2s\nchsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3164"C:\Program Files\NCH Software\Pixillion\freetype.exe" -LQUIET -instby fiPixillion -instsvar PIXILLIONRelatedprogramsfreeonC:\Program Files\NCH Software\Pixillion\freetype.exe
nchsetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\nch software\pixillion\freetype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3208"C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe
explorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
HIGH
Description:
Pixillion Bildkonverter
Exit code:
2
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\pixillionbildkonverter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3364"C:\Program Files\NCH Software\Pixillion\pixillion.exe" -installschedC:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Exit code:
0
Version:
12.34
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3392"C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe" C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Bildkonverter
Exit code:
3221226540
Version:
12.37DE+
Modules
Images
c:\users\admin\appdata\local\temp\pixillionbildkonverter.exe
c:\windows\system32\ntdll.dll
3652"C:\Program Files\NCH Software\Pixillion\pixillion.exe"C:\Program Files\NCH Software\Pixillion\pixillion.exenchsetup.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
Pixillion Image Converter
Version:
12.34
Modules
Images
c:\program files\nch software\pixillion\pixillion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
8 121
Read events
7 438
Write events
661
Delete events
22

Modification events

(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3208) PixillionBildkonverter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:writeName:SVar
Value:
PIXILLIONShowoutfilesize2on
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:InstallerDomain
Value:
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:_InstallerDomain
Value:
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:delete valueName:SVar
Value:
PIXILLIONShowoutfilesize2on
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:PixillionInstall
Value:
C:\Users\admin\AppData\Local\Temp\PixillionBildkonverter.exe
(PID) Process:(2752) nchsetup.exeKey:HKEY_CURRENT_USER\Software\NCH Software\Pixillion\Software
Operation:writeName:SVar
Value:
PIXILLIONRelatedprogramspaidon
Executable files
10
Suspicious files
31
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3208PixillionBildkonverter.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.exeexecutable
MD5:7B9653E6249EFE56CDFC718762A44C86
SHA256:2E0C8D865456BAC79E6A3CE1B502CF3BF5AA1C72D2ED6E9F3472EE3BC36A5036
3208PixillionBildkonverter.exeC:\Users\admin\AppData\Local\Temp\n1s\nchsetup.cabcompressed
MD5:3727F6B3A750BD350274439714040A4D
SHA256:F5B1DB638681260087F0F8E23350A10E484DD4B64CC6D270ACF5AEB11F6A487C
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\freetype.exeexecutable
MD5:9D922FF98AB5EF728BF482A46C565647
SHA256:946EC5E46E155101DA5A5E8B03AAAFB4F0359EFA437A99AE38D395763E73BCCF
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\shellmenua.msixcompressed
MD5:981FCB4B412C54D01CDBA73D0E7FF667
SHA256:BE2BF65D3EA06F6BDDCC452E339CA4450133B656D677904FE0A1565C7A917694
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchdata.datexecutable
MD5:D70A6FA41B8EDB19A8B5FFAF9F9DDF1F
SHA256:48FB3AC2C006120E490434A3307A2085D9A5AC9169F07A474EA72BA6E3033FD3
2952nchsetup.exeC:\Program Files\NCH Software\Pixillion\superresolution.nnbinary
MD5:44C554286E70AD597BA03CAE562DF365
SHA256:B80576E3A39238DA26FBCA141F6D15211AA5AE82558B92DC0CA96A434A8C1C05
3164freetype.exeC:\Users\admin\AppData\Local\Temp\freetype_.cabcompressed
MD5:B543F65A5CFC0342E857053BFB901DA6
SHA256:EF5429418FF01885E4F3BEB0E02AF64471A87997D1D34D3B94D250B25002CB2D
3208PixillionBildkonverter.exeC:\Users\admin\AppData\Local\Temp\n1s\nchdata.cabcompressed
MD5:AF9F800FB5D44CAB11CC931C6E14F5E8
SHA256:99079C0CD004DE20660B22260F4CFF108167C52686A3EB22196F93F483B0C1BE
540Installer.exeC:\Users\admin\AppData\Local\Temp\n2s\nchsetup.exeexecutable
MD5:CFC411DD91DA409FCD985284A5777A7D
SHA256:5F36CCA3C97D88BAA1F681C318F435885C4B18543DB74E179086329C0D353D60
2752nchsetup.exeC:\Users\admin\AppData\Local\Temp\Pixillion-2748-2\Installer.exeexecutable
MD5:2F977D83DDD5959CCF27A3CCE89548B3
SHA256:48E19B7C74F25638AFF3157DF11994A167587B775B2F6783759EB14749A4A4E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1060
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
whitelisted
2752
nchsetup.exe
GET
200
66.39.83.155:80
http://www.nchsoftware.com/imageconverter/pixsetup.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
2752
nchsetup.exe
66.39.83.155:80
www.nchsoftware.com
PAIR-NETWORKS
US
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
www.nchsoftware.com
  • 66.39.83.155
  • 198.84.119.122
  • 54.149.5.211
malicious
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
secure.nch.com.au
  • 173.247.253.164
unknown

Threats

PID
Process
Class
Message
2752
nchsetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2752
nchsetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PixillionBildkonverter.exe