72be119c2fee04645c6fc89f98e43e3111bd6f014ed0b91f868c2dd0462f5690

Analysis

max time kernel
94s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Postman-win64-Setup.exe
Size

134.7MB
MD5

9ecd035fc23829a7abada1f6d9b839bd
SHA1

db185ecd19f501994c200880a1b8a0dc68da621c
SHA256

72be119c2fee04645c6fc89f98e43e3111bd6f014ed0b91f868c2dd0462f5690
SHA512

7ab0ac36d80541fab480565fe8156dd8e75d4d6c8c4304c7958681b9a7e873663e2c91ed834176725ec866c31c8661a4e85d81d0e5fdac10bc7a4a54b335d4dc
SSDEEP

3145728:FRGQ1rA4BsMSThYyGgNlbyFybgkwTiFO8dt0bh:FRD1rIMlR0GytwTiVt0bh

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 15 IoCs

pid	Process
4888	Update.exe
3340	Squirrel.exe
3236	Postman.exe
3392	Postman.exe
2932	Postman.exe
4388	Postman.exe
4884	Postman.exe
1248	Postman.exe
4860	Postman.exe
5052	Postman.exe
4716	Postman.exe
1496	Postman.exe
3024	Postman.exe
5068	Postman.exe
4116	Postman.exe

Loads dropped DLL 15 IoCs

pid	Process
3236	Postman.exe
3392	Postman.exe
2932	Postman.exe
2932	Postman.exe
2932	Postman.exe
2932	Postman.exe
2932	Postman.exe
4388	Postman.exe
4884	Postman.exe
4860	Postman.exe
5052	Postman.exe
4716	Postman.exe
3024	Postman.exe
5068	Postman.exe
4116	Postman.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\shell\open\command	Postman.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\shell	Postman.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\shell\open	Postman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Postman\\app-11.0.12\\Postman.exe\" \"%1\""	Postman.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman	Postman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\URL Protocol	Postman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\postman\ = "URL:postman"	Postman.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Postman.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Postman.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Postman.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	Update.exe
4888	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe
Token: SeShutdownPrivilege	3236	Postman.exe
Token: SeCreatePagefilePrivilege	3236	Postman.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4888	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4888	4408	Postman-win64-Setup.exe	82
PID 4408 wrote to memory of 4888	4408	Postman-win64-Setup.exe	82
PID 4888 wrote to memory of 3340	4888	Update.exe	83
PID 4888 wrote to memory of 3340	4888	Update.exe	83
PID 4888 wrote to memory of 3236	4888	Update.exe	84
PID 4888 wrote to memory of 3236	4888	Update.exe	84
PID 3236 wrote to memory of 3392	3236	Postman.exe	86
PID 3236 wrote to memory of 3392	3236	Postman.exe	86
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 2932	3236	Postman.exe	87
PID 3236 wrote to memory of 4388	3236	Postman.exe	88
PID 3236 wrote to memory of 4388	3236	Postman.exe	88
PID 3236 wrote to memory of 4884	3236	Postman.exe	89
PID 3236 wrote to memory of 4884	3236	Postman.exe	89
PID 1248 wrote to memory of 4860	1248	Postman.exe	93
PID 1248 wrote to memory of 4860	1248	Postman.exe	93
PID 4860 wrote to memory of 5052	4860	Postman.exe	94
PID 4860 wrote to memory of 5052	4860	Postman.exe	94
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95
PID 4860 wrote to memory of 4716	4860	Postman.exe	95

C:\Users\Admin\AppData\Local\Temp\Postman-win64-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Postman-win64-Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Squirrel.exe
    "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:3340
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
    "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
      C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Postman /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Postman\Crashpad --annotation=_productName=Postman --annotation=_version=11.0.12 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=20.3.11 --initial-client-data=0x474,0x47c,0x480,0x450,0x484,0x7ff61bc258f8,0x7ff61bc25908,0x7ff61bc25918
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3392
  - - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
      "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Postman" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1848,i,16197769986981839616,10666679708050834850,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2932
  - - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
      "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Postman" --mojo-platform-channel-handle=2128 --field-trial-handle=1848,i,16197769986981839616,10666679708050834850,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4388
  - - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
      "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Postman" --app-user-model-id=com.squirrel.Postman.Postman --app-path="C:\Users\Admin\AppData\Local\Postman\app-11.0.12\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2512 --field-trial-handle=1848,i,16197769986981839616,10666679708050834850,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4884

C:\Users\Admin\AppData\Local\Postman\Postman.exe
"C:\Users\Admin\AppData\Local\Postman\Postman.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
  "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
    C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Postman /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Postman\Crashpad --url=https://o1224273.ingest.sentry.io/api/6543787/minidump/?sentry_key=4657359d34004de980b15867cd04eb7a --annotation=_productName=Postman --annotation=_version=11.0.12 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=20.3.11 --initial-client-data=0x490,0x498,0x49c,0x46c,0x4a0,0x7ff61bc258f8,0x7ff61bc25908,0x7ff61bc25918
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5052
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
    "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Postman" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1888,i,2188570070685621031,939638805666824435,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4716

C:\Users\Admin\AppData\Local\Postman\Postman.exe
"C:\Users\Admin\AppData\Local\Postman\Postman.exe"
1⤵
- Executes dropped EXE
PID:1496
- C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
  "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3024
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
    C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Postman /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Postman\Crashpad --annotation=_productName=Postman --annotation=_version=11.0.12 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=20.3.11 --initial-client-data=0x474,0x47c,0x480,0x454,0x484,0x7ff61bc258f8,0x7ff61bc25908,0x7ff61bc25918
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5068
- - C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe
    "C:\Users\Admin\AppData\Local\Postman\app-11.0.12\Postman.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Postman" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1920,i,14338324159600052294,5753172800760785861,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Postman\Postman.exe

Filesize
365KB

MD5
d6198e8bd66340b3dfd7281bd77d5d2f

SHA1
7d886ffdba771dd56a6f3b20ae9db678eae96dc4

SHA256
36c75bcd8c645bd2d45ed70033322b5428b45697d576e8cb57cc3afb5985939b

SHA512
8d650ca54a0d0a2fbcc24b9aba43d381d22507718f00ca0538609165d412ffbecb5efa9d6344208e80e746759daa8c9721887a9a6b92578c0982a0847b41cc2f

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\chrome_100_percent.pak

Filesize
126KB

MD5
a3d4515d3a33a407d313a62818e82a5d

SHA1
967ff9a6774a66f7b3299af4fd5d70961ed54d79

SHA256
662a9db6ef4197cb4b6c50648a2cafceb7fd903015828df3fee605a602370be0

SHA512
0c757e1beccbca1ae0791fa0c51a9e2019696bd0965c73de67b364fba6f317ea2cf20fa65e4fa7dd22519683528e5112dc8c530049170f4e702e0c8d4e065801

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\chrome_200_percent.pak

Filesize
175KB

MD5
3bab45c70f22646cf8452c30903810cb

SHA1
40b31d4c79b5a2b8d12f8cf8b6c49c962c31f766

SHA256
d4282ae977f23afe252e19e421c8d09696ea3b83a1e73a6aaebaaa5547c74cbc

SHA512
85eda055494f0233c963e821906cf69d94e664d8396e8b08e7a8f412e1c16af71252fef1bfe3ed43cfad157aa90c0dcbb375626e2ddf0e807c9b23ad27e61d9c

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\d3dcompiler_47.dll

Filesize
4.7MB

MD5
6769d744dee8fb74b18ea8744fea42af

SHA1
ae8d942ba04d8535a6d1b6c3889ecc0cac779e7c

SHA256
872d83d322ed1941a638cc7c22505f98f85e90bd57284ac1389ae8046402f442

SHA512
ddafe9d0a762c7452b55454b07da253b6ff966954e6841ca730179d992de213c09791455982001fcda7f6d3fceb9dd0f9eaf27576c9a54716cbc846b4e93df9a

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\ffmpeg.dll

Filesize
2.7MB

MD5
44397ad6e4e66eb424485bd22fa6be2a

SHA1
4297121b6b83cdfc2bcac253a58e5823fae0f249

SHA256
64c6a61b73ebdf0158e0d056fd51eea6e22e1bec46d6e060b7db810f57d19ed2

SHA512
78b52eb78ae17f64e0c43f693c163ffab922d93cbe907c32cef175baa35968202e147077ad497f7fe0c461c027f16da40c0547925e9650500c436776216f7f35

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\icudtl.dat

Filesize
10.0MB

MD5
516f6b90d1539bd1eaeaa2fc32dadb92

SHA1
8017789bef98902cdc95c18e67b84378ddd293c0

SHA256
51edd31f6c5d298c662af320424b632172a31e3348cdbb201380636c95ded794

SHA512
db4b5fd7f8a0e0a331ffa7c574d011b059df8654cdc6ee4970f84fda20b88a3b8706f2605d91d19a6dd86d2702cc9542e026a054d28f85c51b676daa8d3f3bb0

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\libEGL.dll

Filesize
435KB

MD5
f6d4d8d46b976ba861e0d83a3d2ae3af

SHA1
523f3a567a2cadcfd75b4e15b2f8dcf8b1605992

SHA256
fd670b879c3f68046d27c73d890a63bd7f2d048a50c9b40755290cf7baebfabc

SHA512
b928b19a83b4bd4e167e66038da8e50a0f324865a2eae7bd2390ad848e53e7b1d0976e43489a337aa248bf7368c1d7ac916eb8ab1f9d547c22d8c8a9bcf595be

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\libGLESv2.dll

Filesize
6.2MB

MD5
87d46a1c9dbe20eb2c9cc716ded36896

SHA1
3074e9676d03b66a6e6dabbe85616defa5f6b793

SHA256
5e1d326c3092aec16c5ff28cb4b57cce6411976449339c443ec4e6b1a7ba469c

SHA512
03a74b98fe65d9c7be1d4af52fbe78b70410712dfba88f875b0a2e8c9b7910ea08ab480d2e58d86e359f0a6112a33ba20f85515eb53035fa5624741e29d52f8c

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\locales\en-US.pak

Filesize
295KB

MD5
a2ed0e17819c287b824cae5c0ac03af7

SHA1
9694627f89cd65fbb511eacc6c785ab045525ff2

SHA256
c4a2c6a90945868a02ad14b3a994e94b123981d56190bd34cc3cb14f31f2270b

SHA512
a527351a1c61e6ed4e999c6549ec04b2096712644c4e1f28b48872c031c9f0a4bb118c0ceb40dc3a35315ddc7cf244e3c0c03d864a53d4a76f6dcf1b3889c109

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\resources.pak

Filesize
5.1MB

MD5
189c5871e67cc067293ef65ab1cb6a71

SHA1
c8a233ccb51b1fcdaf604f7c06dcdf9d57719628

SHA256
ec076cef33458d85b8e0869c64cd9179853445657cc71051c5ccea47639e336d

SHA512
668732fef5e032beda61b4cc6901968885a39d7a121e2492b0fd7b52d69aac4a093694fc6ea06b4b0f29a4e31bcd50717034f77df1754a7702c3d7be66bd3a21

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\squirrel.exe

Filesize
1.8MB

MD5
9fb919787fc7850a4188eb0ef45d9168

SHA1
6f8328c57bd19910e2230ee92f5c3bca47f490d1

SHA256
c6e4de6c2787cf0f039325eaa01489b56960806d06ec3dceb34748bef7db9298

SHA512
b91895f8cec3794bd34918ca79828c6724fc9fe00949adf6438b4a2f6da8f59c412731fc9cfe85babf2c87c6722c3c84e38266c8bc807b0b1a7b7f7f9a0f0473

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\v8_context_snapshot.bin

Filesize
716KB

MD5
7ea15faff14c6631ef7ef7899ec8235d

SHA1
b398fb7e8e3afa7886c483b054be4358aba5b800

SHA256
1717afb2f6958e37a34ab35b5b796ff2d9fa7d0d4828a405221ac3260b722973

SHA512
57e6fdf0c6c64f232fe6c247b955689bba09a9c2bd37124b3b4b419403ee1f1028b5eed6b1e3f96263cbc1762d3c2637e06ffb3a04891772d67487ee2fd8db45

Download Submit
C:\Users\Admin\AppData\Local\Postman\app-11.0.12\vk_swiftshader.dll

Filesize
3.9MB

MD5
8ede69eb40031b13a0ffc46508c48745

SHA1
9320e19f8c842748e840c3281a869f7d595adf56

SHA256
e7180f721cb7e308cee8a6263f6e7775b10e5c20807a07450cf38c14e9f4b1a3

SHA512
f7d84133a4190811e96e62c23a3f664e89b7027a0b2d0bed9b4cbdcee801fc915f358ab6f704f95ba89f95e23da102e072acd70f803ebcbe352212785edad915

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
80B

MD5
c7bf9293bc9e99d48db4994b7bd9ccbb

SHA1
5f2506f03979d41b1ff3764ab7514ecee3ee8e50

SHA256
529fead036d65a6c77a460399368e984b73c6ec433c49378d42a5d85ae7c9cfe

SHA512
8661e38bb8726a8e972d24d632c5f26bcf674106c29c04c57e5fd2cf843a304fa0317f55ed5098d2d42b1a318f4cacb14a5af450773b334e5a38ed991b2ee0e8

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
f8e9403e77ab5b77a04b66ea2e8046f3

SHA1
b17f84b32854b83d7e26cc7f41c892106ffc6139

SHA256
2e19436f03c98364e8b1a6da786560cd34866d2448d3f8621a1b1f103a136689

SHA512
aa711a9172cb297dff028e143b3edd822a0a4fe56ae6f414e5b68f7ee8c3d9dfc62d54ca939ff8295d0667f7da51abd377f4c63acdb3958a12ef09ed6633ce2e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
669KB

MD5
7c6f62944249c7992b1d79b8e9959eaa

SHA1
1aff0f7534e4e69d5f370841a9fc6cdca237ccc3

SHA256
ddb17e0a1467c378db245f29804d9740885212f83988069cceb98c62f7dfa3da

SHA512
297e3edf919a8d4ce168d3e9dbab69988f72c7ebd978ff926eb54f875bf7e89823d15059544f662aee62f378678de6b64873dee836103dc7a04ce4e3af23abd9

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
24KB

MD5
1cb89146c50ffa12878fcb603a042406

SHA1
cfa33191218440c58fac904aa0f7c7e063f01c61

SHA256
8e7200c658334b2ac4c142ed3a24890782b655f86415739b3717c87b4851911c

SHA512
8185c20b686b3cc0937dab203cb50f09746ecf2741a9d894e98b6eb64963ceeb68726dd17cfd98e74a8611a1d0f00e1a807aef3184a298af0e877c966b54bed3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Crashpad\settings.dat

Filesize
40B

MD5
1a0a399a7db462bc00d39076bf8f74aa

SHA1
c0192636a2cf3e19940e00c4a85e134d4ee0d313

SHA256
b1dd1f518dcd8b31de04511ebbf473ac6abd3639715edf1475b5f4cf48597cc5

SHA512
2baf2251439c392049d51ece8bfc524c3615a71891147a1eae55c7addb5ec5536f17930f59233dd3e3197cacd3227aab12c8777f72cefc4cd7fc6d4d71620afb

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Crashpad\settings.dat

Filesize
40B

MD5
44a1fade152830ad3d1ae421d10cf5a8

SHA1
68edaa3b750f808e756daf22d47d9f83607bb915

SHA256
8ba000c21cb94d4535eae7a20c539aa9828ea60bba5fdd8129501fd05ce0de9d

SHA512
f0adada21e4506a8b07d263da5b51761ff264885f04c7ada0fd3a24bf0aaa785839c8f9b8f9dfb5b729f5e84d00938d829170c596087214093afdf7adec7326f

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Local State

Filesize
389B

MD5
46fa8d3638e7fae1b0e15ef5369e6ddf

SHA1
a60c9d9747fffd4991793eb15c0f5c6541ca21e5

SHA256
7752ce5051a7153e5e2e4f63f6ac366afeffab79dc847b09cceff510c86b1799

SHA512
099ed3e3f37bd26906590917d19c77e1bc1635d4570f1137c442fda57e62241d5c57dcc052afd4ed1db3ef08a468a88f7aa77119eb350abe66ba056983501bab

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Partitions\postman_shell\Network\Network Persistent State

Filesize
296B

MD5
741669046d8ce0f1c1efb24f446a2517

SHA1
325949f67b67cd85785eff025246847d32468b8b

SHA256
bca86618e15e321ef425f12272c948c02f7eed9deebe19a470a00e18505d34b9

SHA512
81fed541a77a36958cb12039f2e31f2c91c51728bd869148435d33ce80de5fd424bd2b9fc8b47a0586e62e441b7d66807e818d5625a1ea736f6a69ab43d5ba48

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Partitions\postman_shell\Network\Network Persistent State~RFe58d349.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\Partitions\postman_shell\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\storage\settings.json

Filesize
33B

MD5
ca6ee9d087387204c8949821d2f81d6e

SHA1
af414c5f6d9f8ee74ad1af16c3071f415babba2d

SHA256
bc6997959b599aa5eca457d65d6ea8db1f8571877b453db4c2b7a5ed882c4953

SHA512
0bda79d6fa6fb4b5a65c63fb1fa116da11ff188b2bde19621c4ec2272a25a2728f668e7383c7345768bbe4b3328d73ca02287e2f9d4e063a9a79da34ea7513f1

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\storage\userPartitionData.json

Filesize
27B

MD5
1a315c4fc216855ad5d2da20e61e2d9d

SHA1
3843e928165fdc9e838224312286c5d7c2ed5f43

SHA256
c2115c763cbfff93ecf43c0771a9b3d22525557ebb76abd0154e4e405f5b9089

SHA512
efe152d07c76252bcdead5589825d413951d2bace8ba474543de4532a66b003b239df0febe84bcfbcfbc797f1dbd098eeee511494c43062fa6cf44999ae9e257

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\storage\userPartitionData.json

Filesize
43B

MD5
c67667b1b33b51f50c958ac19a2b468f

SHA1
f2d5911bb5e390495a5c665babca20fc736e58d6

SHA256
24eada04aa6d95ad5476585e348c227b3b9280a1a53682a153c580b8db0f17f0

SHA512
0a1e5f3a23766b3c16482a52a742ebba210f91b5df5c5628a376ec53ef67cff754ddafc9f7e1f258f7d8f7a975fbae2b2a8d09b57d4189d080ac03681eb931f8

Download Submit
C:\Users\Admin\AppData\Roaming\Postman\storage\userPartitionData.json

Filesize
54B

MD5
62277ac04e00704de145d19d6b97c6b0

SHA1
7af61bc528ab9c8e4cb21345d613e320741a2e5e

SHA256
54657e8e4df0afb2606730e9d0e6fecce8123740b5d738815fa9bb64ac1d8f9f

SHA512
aac0bbb0e5f69d1b67663eac569aa7340fda63973464a1cf00d7320cbc30dd66e0488443582eaaf553d72a58c7878c7427dabe8682aaf4cdb74fe4cc1e4629c6

Download Submit
memory/2932-161-0x00007FFB6E8E0000-0x00007FFB6E8E1000-memory.dmp

Filesize
4KB

Download
memory/3340-103-0x0000000000770000-0x000000000093A000-memory.dmp

Filesize
1.8MB

Download
memory/4888-126-0x00000000283C0000-0x00000000283F8000-memory.dmp

Filesize
224KB

Download
memory/4888-8-0x0000000000150000-0x0000000000314000-memory.dmp

Filesize
1.8MB

Download
memory/4888-107-0x000000001B790000-0x000000001B7B0000-memory.dmp

Filesize
128KB

Download
memory/4888-127-0x00000000282C0000-0x00000000282CE000-memory.dmp

Filesize
56KB

Download