File name:

PuTTYPortable_0.81_English.paf.exe

Full analysis: https://app.any.run/tasks/6634e5a4-6244-49de-b8fe-414b351eb79d
Verdict: Malicious activity
Analysis date: May 14, 2024, 17:59:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

FF1FA555A342B5CBFEFCDC634FB8DE68

SHA1:

3B5F9ED33C8A24A977165F60D2EB39FAAEB004D2

SHA256:

3F80C0CF2AD74C63810B40529961715ADEB439E8E0829E2C3E39E68EC290D73D

SSDEEP:

49152:fyZXYCxXj2g5k6sSFkqJf3lqABxVRAPY34CP2FJ1g6e8yVGfxpehr+1J6YVQmVUC:faX/jt5kJ1qJfVqeVRAPY34CuFg6FEuP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)

    • The process creates files with name similar to system file names

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)

    • Executable content was dropped or overwritten

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)

    • Creates file in the systems drive root

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)

    • Reads security settings of Internet Explorer

      • PuTTYPortable.exe (PID: 4020)

    • Reads the Internet Settings

      • PuTTYPortable.exe (PID: 4020)

  • INFO

    • Checks supported languages

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)
      • PUTTY.EXE (PID: 4068)

    • Reads the computer name

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)
      • PUTTY.EXE (PID: 4068)

    • Create files in a temporary directory

      • PuTTYPortable_0.81_English.paf.exe (PID: 3964)
      • PuTTYPortable.exe (PID: 4020)

    • Reads the machine GUID from the registry

      • PuTTYPortable.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:10:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 412160
UninitializedDataSize: 16384
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.81.0.0
ProductVersionNumber: 0.81.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: PuTTY Portable
FileVersion: 0.81.0.0
InternalName: PuTTY Portable
LegalCopyright: 2007-2023 PortableApps.com, PortableApps.com Installer 3.8.5.0
LegalTrademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: PuTTYPortable_0.81_English.paf.exe
PortableAppscomAppID: PuTTYPortable
PortableAppscomFormatVersion: 3.8
PortableAppscomInstallerVersion: 3.8.5.0
ProductName: PuTTY Portable
ProductVersion: 0.81.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start puttyportable_0.81_english.paf.exe puttyportable.exe putty.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3964"C:\Users\admin\AppData\Local\Temp\PuTTYPortable_0.81_English.paf.exe" C:\Users\admin\AppData\Local\Temp\PuTTYPortable_0.81_English.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PuTTY Portable
Exit code:
0
Version:
0.81.0.0
Modules
Images
c:\users\admin\appdata\local\temp\puttyportable_0.81_english.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
4020"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe
PuTTYPortable_0.81_English.paf.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PuTTY Portable (PortableApps.com Launcher)
Version:
2.2.6.0
Modules
Images
c:\users\admin\downloads\puttyportable\puttyportable.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
4068"C:\Users\admin\Downloads\PuTTYPortable\App\putty\putty.exe"C:\Users\admin\Downloads\PuTTYPortable\App\putty\PUTTY.EXEPuTTYPortable.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet, Rlogin, and SUPDUP client
Version:
Release 0.81 (with embedded help)
Modules
Images
c:\users\admin\downloads\puttyportable\app\putty\putty.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
6 416
Read events
6 392
Write events
24
Delete events
0

Modification events

(PID) Process:(3964) PuTTYPortable_0.81_English.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) PuTTYPortable_0.81_English.paf.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-2
Value:
Access the computers and devices that are on your network.
(PID) Process:(3964) PuTTYPortable_0.81_English.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(3964) PuTTYPortable_0.81_English.paf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(4020) PuTTYPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4020) PuTTYPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4020) PuTTYPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4020) PuTTYPortable.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
15
Suspicious files
1
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsv3879.tmp\modern-wizard.bmpimage
MD5:4DF53EFCAA2C52F39618B2AAD77BB552
SHA256:EE13539F3D66CC0592942EA1A4C35D8FD9AF67B1A7F272D0D791931E6E9CE4EB
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsv3879.tmp\modern-header.bmpimage
MD5:8BD2FC53EDA7B2ACAB282B23DAE497C2
SHA256:9AB6A194565DD66BC8C4872E8C670487303D4690C5FEE33DB41A591A6BBFCE2D
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsv3879.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsv3879.tmp\w7tbp.dllexecutable
MD5:9A3031CC4CEF0DBA236A28EECDF0AFB5
SHA256:53BB519E3293164947AC7CBD7E612F637D77A7B863E3534BA1A7E39B350D3C00
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\Downloads\PuTTYPortable\help.htmlhtml
MD5:AF54ABE5ED8EBF62E35EEA395EAAFEDC
SHA256:1475AEFE93504F08223805891877347BE536BE2DA8D3EA5E1C17B631837CD63B
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\AppData\Local\Temp\nsv3879.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appinfo.initext
MD5:C01CCF8EEBEA4BB4565ABA3BE1069627
SHA256:E9CACF526C75F3F51DF3864EEA7B16913F9DDB26EF2264759398E5FB68EFD4E4
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appicon_16.pngimage
MD5:77ACA5FAA13DDB0C23983443ED91E072
SHA256:3838F62CA15C88A148532ADFF1A376756338DE0A77E9B70CEC04F95D8DBC82D4
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appicon_32.pngimage
MD5:5065DDDEA450DD6843FD2AF2A70FC3E1
SHA256:454C5FCEC4A73F4D39072ED9812967ADC102B8322F3AA101DFA1ECEBA6BB6F02
3964PuTTYPortable_0.81_English.paf.exeC:\Users\admin\Downloads\PuTTYPortable\App\putty\PSCP.EXEexecutable
MD5:743DEDC6F601F1A41D822308545153B7
SHA256:73C1BBD02F87BFF4C8C9D1B6CC6B73B8967C78130606659FEB488C1732587C6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PuTTYPortable_0.81_English.paf.exe