File name:

putty-portable-0.83-installer_jm-oCT2.exe

Full analysis: https://app.any.run/tasks/182a087a-553a-4029-923b-c181f48a6333
Verdict: Malicious activity
Analysis date: April 12, 2025, 21:28:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
putty
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

519323C0BA82598E4304211EE225D998

SHA1:

34488CDA57D1A98ED2B8FB6B65307AD285F16ED4

SHA256:

4BC69ACDBC93F0CFA42B28DBCD51BBA4F2E4347EC84054AB5B3178788BB3C60A

SSDEEP:

98304:7PIRMu5DUrszskSGjKuV3XNr/g4T6Gq+flu+ehce/Unba+O+CB3jD9hlS:k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • PuTTYPortable.exe (PID: 8160)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • There is functionality for taking screenshot (YARA)

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Reads security settings of Internet Explorer

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • PuTTYPortable.exe (PID: 8160)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • The process creates files with name similar to system file names

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Executes application which crashes

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • PUTTY has been detected

      • PUTTY.EXE (PID: 6032)

  • INFO

    • The sample compiled with english language support

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)

    • Reads the software policy settings

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Process checks computer location settings

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Reads the machine GUID from the registry

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Checks supported languages

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)
      • PUTTY.EXE (PID: 6032)

    • Checks proxy server information

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Reads the computer name

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)
      • PUTTY.EXE (PID: 6032)

    • Create files in a temporary directory

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:31 15:22:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 2143744
InitializedDataSize: 2316288
UninitializedDataSize: -
EntryPoint: 0x1c118b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.11.0
ProductVersionNumber: 3.0.11.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic
FileVersion: 3.0.11.0.0
LegalCopyright: (c) Softonic
ProductName: Softonic
ProductVersion: 3.0.11.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start putty-portable-0.83-installer_jm-oct2.exe sppextcomobj.exe no specs slui.exe no specs putty-portable-0.83-installer.exe werfault.exe no specs puttyportable.exe THREAT putty.exe no specs putty-portable-0.83-installer_jm-oct2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5972"C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe" C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exeexplorer.exe
User:
admin
Company:
Softonic
Integrity Level:
MEDIUM
Description:
Softonic
Exit code:
3221226540
Version:
3.0.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\putty-portable-0.83-installer_jm-oct2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6032"C:\Users\admin\Downloads\PuTTYPortable\App\putty\putty.exe"C:\Users\admin\Downloads\PuTTYPortable\App\putty\PUTTY.EXE
PuTTYPortable.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
HIGH
Description:
SSH, Telnet, Rlogin, and SUPDUP client
Version:
Release 0.83 (with embedded help)
Modules
Images
c:\users\admin\downloads\puttyportable\app\putty\putty.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7200"C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe" C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe
explorer.exe
User:
admin
Company:
Softonic
Integrity Level:
HIGH
Description:
Softonic
Exit code:
3221226356
Version:
3.0.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\putty-portable-0.83-installer_jm-oct2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7240C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7272"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7752"C:\Users\admin\Downloads\putty-portable-0.83-installer.exe" C:\Users\admin\Downloads\putty-portable-0.83-installer.exe
putty-portable-0.83-installer_jm-oCT2.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
HIGH
Description:
PuTTY Portable
Exit code:
0
Version:
0.83.0.0
Modules
Images
c:\users\admin\downloads\putty-portable-0.83-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7880C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7200 -s 896C:\Windows\SysWOW64\WerFault.exeputty-portable-0.83-installer_jm-oCT2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8160"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe
putty-portable-0.83-installer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
HIGH
Description:
PuTTY Portable (PortableApps.com Launcher)
Version:
2.2.9.0
Modules
Images
c:\users\admin\downloads\puttyportable\puttyportable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 141
Read events
3 135
Write events
3
Delete events
3

Modification events

(PID) Process:(7880) WerFault.exeKey:\REGISTRY\A\{a7ebfaa1-e30d-3c01-a831-c6d459d106c9}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7880) WerFault.exeKey:\REGISTRY\A\{a7ebfaa1-e30d-3c01-a831-c6d459d106c9}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
17
Suspicious files
5
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
7880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_putty-portable-0_6b3643f0d914541b178a9239d9c6491dfc5b524_13caa590_599fee78-03d7-4e98-94dd-14eeb833252a\Report.wer
MD5:
SHA256:
7880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER721.tmp.dmpbinary
MD5:AD0E7A19E19CA949831CB3220F9FE22F
SHA256:52C3758281EBC562D6C9804DEB8CC134BCE26292B0254EF02AFDF635C36432ED
7752putty-portable-0.83-installer.exeC:\Users\admin\AppData\Local\Temp\nshFBB9.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
7880WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:EB2B62259CF279D0E1FA968BBD8FDD55
SHA256:936D4B48C23155C073A3304DB6F6BDDE7EE90439A01A3F36FD4AEE6AF6049CE7
7200putty-portable-0.83-installer_jm-oCT2.exeC:\Users\admin\Downloads\putty-portable-0.83-installer.exeexecutable
MD5:710ADA266BBB007A4CB0E6D057DA3D76
SHA256:7A19751ED16E5A355BDB3F415DF9F28F47EC87B608A59D691256A8983F6D3987
7752putty-portable-0.83-installer.exeC:\Users\admin\AppData\Local\Temp\nshFBB9.tmp\modern-header.bmpimage
MD5:8BD2FC53EDA7B2ACAB282B23DAE497C2
SHA256:9AB6A194565DD66BC8C4872E8C670487303D4690C5FEE33DB41A591A6BBFCE2D
7752putty-portable-0.83-installer.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appicon_32.pngimage
MD5:5065DDDEA450DD6843FD2AF2A70FC3E1
SHA256:454C5FCEC4A73F4D39072ED9812967ADC102B8322F3AA101DFA1ECEBA6BB6F02
7752putty-portable-0.83-installer.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appicon_16.pngimage
MD5:77ACA5FAA13DDB0C23983443ED91E072
SHA256:3838F62CA15C88A148532ADFF1A376756338DE0A77E9B70CEC04F95D8DBC82D4
7752putty-portable-0.83-installer.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appicon_128.pngimage
MD5:196510BEAA3687DB5F398E6F6F978CCE
SHA256:EDE5FFEA9376B1B29BE140B76BF233C760FD8F3D6428EDEA696A6FB9AC8A4864
7752putty-portable-0.83-installer.exeC:\Users\admin\Downloads\PuTTYPortable\App\AppInfo\appinfo.initext
MD5:0226F823E7B3B4A7695C0C2334EA696F
SHA256:13E01952D6805741A6CE32859CACD1D3AECDBB0F8D8AFA41B329D83F544F6C05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8032
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8032
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7200
putty-portable-0.83-installer_jm-oCT2.exe
3.160.203.199:443
di7e1j5f1plfo.cloudfront.net
US
whitelisted
7200
putty-portable-0.83-installer_jm-oCT2.exe
151.101.1.91:443
images.sftcdn.net
FASTLY
US
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.128
  • 40.126.31.129
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
di7e1j5f1plfo.cloudfront.net
  • 3.160.203.199
  • 3.160.203.34
  • 3.160.203.18
  • 3.160.203.13
whitelisted
images.sftcdn.net
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
  • 151.101.193.91
whitelisted
gsf-fl.softonic.com
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
  • 151.101.193.91
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
putty-portable-0.83-installer_jm-oCT2.exe