File name:

putty-portable-0.83-installer_jm-oCT2.exe

Full analysis: https://app.any.run/tasks/182a087a-553a-4029-923b-c181f48a6333
Verdict: Malicious activity
Analysis date: April 12, 2025, 21:28:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
putty
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

519323C0BA82598E4304211EE225D998

SHA1:

34488CDA57D1A98ED2B8FB6B65307AD285F16ED4

SHA256:

4BC69ACDBC93F0CFA42B28DBCD51BBA4F2E4347EC84054AB5B3178788BB3C60A

SSDEEP:

98304:7PIRMu5DUrszskSGjKuV3XNr/g4T6Gq+flu+ehce/Unba+O+CB3jD9hlS:k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • PuTTYPortable.exe (PID: 8160)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Executable content was dropped or overwritten

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Reads security settings of Internet Explorer

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • PuTTYPortable.exe (PID: 8160)

    • The process creates files with name similar to system file names

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Executes application which crashes

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • PUTTY has been detected

      • PUTTY.EXE (PID: 6032)

  • INFO

    • Reads the machine GUID from the registry

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Reads the software policy settings

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Reads the computer name

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)
      • PUTTY.EXE (PID: 6032)

    • Checks proxy server information

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Checks supported languages

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)
      • PUTTY.EXE (PID: 6032)

    • The sample compiled with english language support

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)
      • putty-portable-0.83-installer.exe (PID: 7752)

    • Process checks computer location settings

      • putty-portable-0.83-installer_jm-oCT2.exe (PID: 7200)

    • Create files in a temporary directory

      • putty-portable-0.83-installer.exe (PID: 7752)
      • PuTTYPortable.exe (PID: 8160)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:31 15:22:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 2143744
InitializedDataSize: 2316288
UninitializedDataSize: -
EntryPoint: 0x1c118b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.11.0
ProductVersionNumber: 3.0.11.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic
FileVersion: 3.0.11.0.0
LegalCopyright: (c) Softonic
ProductName: Softonic
ProductVersion: 3.0.11.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start putty-portable-0.83-installer_jm-oct2.exe sppextcomobj.exe no specs slui.exe no specs putty-portable-0.83-installer.exe werfault.exe no specs puttyportable.exe THREAT putty.exe no specs putty-portable-0.83-installer_jm-oct2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5972"C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe" C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exeexplorer.exe
User:
admin
Company:
Softonic
Integrity Level:
MEDIUM
Description:
Softonic
Exit code:
3221226540
Version:
3.0.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\putty-portable-0.83-installer_jm-oct2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6032"C:\Users\admin\Downloads\PuTTYPortable\App\putty\putty.exe"C:\Users\admin\Downloads\PuTTYPortable\App\putty\PUTTY.EXE
PuTTYPortable.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
HIGH
Description:
SSH, Telnet, Rlogin, and SUPDUP client
Version:
Release 0.83 (with embedded help)
Modules
Images
c:\users\admin\downloads\puttyportable\app\putty\putty.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7200"C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe" C:\Users\admin\AppData\Local\Temp\putty-portable-0.83-installer_jm-oCT2.exe
explorer.exe
User:
admin
Company:
Softonic
Integrity Level:
HIGH
Description:
Softonic
Exit code:
3221226356
Version:
3.0.11.0.0
Modules
Images
c:\users\admin\appdata\local\temp\putty-portable-0.83-installer_jm-oct2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7240C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7272"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7752"C:\Users\admin\Downloads\putty-portable-0.83-installer.exe" C:\Users\admin\Downloads\putty-portable-0.83-installer.exe
putty-portable-0.83-installer_jm-oCT2.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
HIGH
Description:
PuTTY Portable
Exit code:
0
Version:
0.83.0.0
Modules
Images
c:\users\admin\downloads\putty-portable-0.83-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7880C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7200 -s 896C:\Windows\SysWOW64\WerFault.exeputty-portable-0.83-installer_jm-oCT2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
8160"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe"C:\Users\admin\Downloads\PuTTYPortable\PuTTYPortable.exe
putty-portable-0.83-installer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
HIGH
Description:
PuTTY Portable (PortableApps.com Launcher)
Version:
2.2.9.0
Modules
Images
c:\users\admin\downloads\puttyportable\puttyportable.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 141
Read events
3 135
Write events
3
Delete events
3

Modification events

(PID) Process:(7880) WerFault.exeKey:\REGISTRY\A\{a7ebfaa1-e30d-3c01-a831-c6d459d106c9}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7880) WerFault.exeKey:\REGISTRY\A\{a7ebfaa1-e30d-3c01-a831-c6d459d106c9}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
17
Suspicious files
5
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
7880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_putty-portable-0_6b3643f0d914541b178a9239d9c6491dfc5b524_13caa590_599fee78-03d7-4e98-94dd-14eeb833252a\Report.wer
MD5:
SHA256:
7200putty-portable-0.83-installer_jm-oCT2.exeC:\Users\admin\Downloads\putty-portable-0.83-installer.exeexecutable
MD5:710ADA266BBB007A4CB0E6D057DA3D76
SHA256:7A19751ED16E5A355BDB3F415DF9F28F47EC87B608A59D691256A8983F6D3987
7752putty-portable-0.83-installer.exeC:\Users\admin\AppData\Local\Temp\nshFBB9.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
7880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8E7.tmp.WERInternalMetadata.xmlxml
MD5:93EA605941F59DCD6BF8047ADFDF5ED0
SHA256:A73759300F1429345406895A191C304A5191B3951ACDDEF1810C473E4D9621EB
7752putty-portable-0.83-installer.exeC:\Users\admin\AppData\Local\Temp\nshFBB9.tmp\modern-wizard.bmpimage
MD5:4DF53EFCAA2C52F39618B2AAD77BB552
SHA256:EE13539F3D66CC0592942EA1A4C35D8FD9AF67B1A7F272D0D791931E6E9CE4EB
7880WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:EB2B62259CF279D0E1FA968BBD8FDD55
SHA256:936D4B48C23155C073A3304DB6F6BDDE7EE90439A01A3F36FD4AEE6AF6049CE7
7880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER721.tmp.dmpbinary
MD5:AD0E7A19E19CA949831CB3220F9FE22F
SHA256:52C3758281EBC562D6C9804DEB8CC134BCE26292B0254EF02AFDF635C36432ED
7880WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\putty-portable-0.83-installer_jm-oCT2.exe.7200.dmpbinary
MD5:97D29C5A9DB75BE2611E77D2F35FC335
SHA256:22D14AE7E094DFB733633D9D63A05F5088EEAD3D840E932CF2B11E87DDDFE453
7752putty-portable-0.83-installer.exeC:\Users\admin\AppData\Local\Temp\nshFBB9.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
7752putty-portable-0.83-installer.exeC:\Users\admin\Downloads\PuTTYPortable\App\Readme.txttext
MD5:50A1227C8DFEF16D5F98039EAD77010D
SHA256:7DDD729BA9DB617E8364B8F2793C8239270C66DAF192269B359BE2620807E972
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8032
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8032
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7200
putty-portable-0.83-installer_jm-oCT2.exe
3.160.203.199:443
di7e1j5f1plfo.cloudfront.net
US
whitelisted
7200
putty-portable-0.83-installer_jm-oCT2.exe
151.101.1.91:443
images.sftcdn.net
FASTLY
US
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.128
  • 40.126.31.129
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.129
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
di7e1j5f1plfo.cloudfront.net
  • 3.160.203.199
  • 3.160.203.34
  • 3.160.203.18
  • 3.160.203.13
whitelisted
images.sftcdn.net
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
  • 151.101.193.91
whitelisted
gsf-fl.softonic.com
  • 151.101.1.91
  • 151.101.65.91
  • 151.101.129.91
  • 151.101.193.91
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
putty-portable-0.83-installer_jm-oCT2.exe