rhadamanthys | d603137c0fa78fad4cf0f80498fddb7eb0e8f115a9d360e9ec88d21cbbeb6944

Resubmissions

29/07/2024, 02:56

240729-de79natflc 10

28/07/2024, 16:23

240728-tv917awdlb 7

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29/07/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gatherum.exe
Size

47.3MB
MD5

3730b778d99878116f6b88afcbeef23f
SHA1

8d9b2ad3f9ac19987e036bec2dfa672e3815b66b
SHA256

d603137c0fa78fad4cf0f80498fddb7eb0e8f115a9d360e9ec88d21cbbeb6944
SHA512

275d39e2e531b22cac4f68d5ae5e38e99d6263dc610de16987aa847e3a06b7c652e89b581a7815be935efd730a9255e3002a84226df4272ed3a4129f57c9d398
SSDEEP

786432:4FfLgppR8t2argpex0I5z34qNBvf36IiQNIt7dOZ6xKpu3lbBVBZ1fNJ1zL7rDjh:4FfLgppR8t2KsefBIqNBvP6I2MQApu3b

Score

10^/10

rhadamanthys credential_access discovery execution spyware stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4324 created 2528	4324	snss1.exe	44

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
3420	powershell.exe
2680	powershell.exe
3392	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0007000000023474-674.dat	net_reactor

Executes dropped EXE 3 IoCs

pid	Process
3460	Gatherum.exe
4324	snss1.exe
2672	snss2.exe

Loads dropped DLL 56 IoCs

pid	Process
2868	Gatherum.exe
2868	Gatherum.exe
2868	Gatherum.exe
2868	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
3460	Gatherum.exe
2672	snss2.exe
2672	snss2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gatherum\pl\Microsoft.VisualBasic.Forms.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Numerics.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Windows.Forms.Design.Editors.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Collections.Specialized.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\tr\PresentationUI.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Security.SecureString.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ja\System.Xaml.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Drawing.Design.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Net.NameResolution.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\it\System.Windows.Forms.Primitives.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\tr\WindowsBase.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hans\WindowsFormsIntegration.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\PresentationFramework.Classic.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\mscordaccore_amd64_amd64_8.0.23.53103.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Runtime.InteropServices.RuntimeInformation.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\cs\System.Windows.Forms.Design.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Runtime.Serialization.Xml.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Text.Encoding.CodePages.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\cs\System.Windows.Controls.Ribbon.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\cs\System.Windows.Input.Manipulations.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hant\UIAutomationClientSideProviders.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.ComponentModel.Primitives.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Diagnostics.StackTrace.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hans\System.Windows.Forms.Design.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ja\UIAutomationClientSideProviders.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pt-BR\System.Windows.Forms.Design.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Numerics.Vectors.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Resources.Reader.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ru\UIAutomationTypes.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\de\PresentationFramework.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ru\System.Windows.Forms.Primitives.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\it\Microsoft.VisualBasic.Forms.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ko\System.Windows.Controls.Ribbon.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pt-BR\UIAutomationProvider.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hans\System.Xaml.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Net.Http.Json.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\cs\Microsoft.VisualBasic.Forms.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.IO.Compression.Native.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\zh-Hans\System.Windows.Forms.Primitives.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\mscorrc.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ru\UIAutomationClient.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Net.Requests.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Runtime.Extensions.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\fr\System.Windows.Forms.Design.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\it\System.Windows.Forms.Design.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\clrgc.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\fr\Microsoft.VisualBasic.Forms.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\de\System.Windows.Forms.Primitives.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pt-BR\System.Windows.Controls.Ribbon.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pt-BR\System.Xaml.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Net.ServicePoint.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Transactions.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pl\PresentationFramework.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\pl\UIAutomationClient.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\Gatherum.exe	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Text.RegularExpressions.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ru\WindowsBase.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Threading.AccessControl.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\de\UIAutomationClient.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\ko\WindowsBase.resources.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Linq.Expressions.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\System.Threading.Overlapped.dll	Gatherum.exe
File created	C:\Program Files (x86)\Gatherum\Microsoft.Win32.SystemEvents.dll	Gatherum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2288	4324	WerFault.exe	109
1472	4324	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gatherum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	snss2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	snss2.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
3392	powershell.exe
3392	powershell.exe
3392	powershell.exe
4324	snss1.exe
4324	snss1.exe
3512	openwith.exe
3512	openwith.exe
3512	openwith.exe
3512	openwith.exe
2672	snss2.exe
2672	snss2.exe
2672	snss2.exe
2672	snss2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3460	2868	Gatherum.exe	97
PID 2868 wrote to memory of 3460	2868	Gatherum.exe	97
PID 3460 wrote to memory of 1952	3460	Gatherum.exe	99
PID 3460 wrote to memory of 1952	3460	Gatherum.exe	99
PID 3460 wrote to memory of 3420	3460	Gatherum.exe	101
PID 3460 wrote to memory of 3420	3460	Gatherum.exe	101
PID 3460 wrote to memory of 2680	3460	Gatherum.exe	103
PID 3460 wrote to memory of 2680	3460	Gatherum.exe	103
PID 3460 wrote to memory of 3392	3460	Gatherum.exe	106
PID 3460 wrote to memory of 3392	3460	Gatherum.exe	106
PID 3460 wrote to memory of 4324	3460	Gatherum.exe	109
PID 3460 wrote to memory of 4324	3460	Gatherum.exe	109
PID 3460 wrote to memory of 4324	3460	Gatherum.exe	109
PID 4324 wrote to memory of 3512	4324	snss1.exe	110
PID 4324 wrote to memory of 3512	4324	snss1.exe	110
PID 4324 wrote to memory of 3512	4324	snss1.exe	110
PID 4324 wrote to memory of 3512	4324	snss1.exe	110
PID 4324 wrote to memory of 3512	4324	snss1.exe	110
PID 3460 wrote to memory of 2672	3460	Gatherum.exe	121
PID 3460 wrote to memory of 2672	3460	Gatherum.exe	121
PID 3460 wrote to memory of 2672	3460	Gatherum.exe	121

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3512

C:\Users\Admin\AppData\Local\Temp\Gatherum.exe
"C:\Users\Admin\AppData\Local\Temp\Gatherum.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Gatherum\Gatherum.exe
  "C:\Program Files (x86)\Gatherum\Gatherum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\f081204e-4db8-4e4a-8d65-8ddaf96b6015\snss1.exe
    "C:\Users\Admin\AppData\Local\Temp\f081204e-4db8-4e4a-8d65-8ddaf96b6015\snss1.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 448
      4⤵
      Program crash
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 452
      4⤵
      Program crash
      PID:1472
- - C:\Users\Admin\AppData\Local\Temp\f081204e-4db8-4e4a-8d65-8ddaf96b6015\snss2.exe
    "C:\Users\Admin\AppData\Local\Temp\f081204e-4db8-4e4a-8d65-8ddaf96b6015\snss2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4324 -ip 4324
1⤵
PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gatherum\Accessibility.dll

Filesize
20KB

MD5
fb554f9fe0b91f135d26ac6459cfd6f2

SHA1
b1269a2c28bded872b14fe70b69484631ef3a65d

SHA256
929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271

SHA512
8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c

Download Submit
C:\Program Files (x86)\Gatherum\Gatherum.dll

Filesize
397KB

MD5
7f92f6fc00f1e4ccb88a51194e673613

SHA1
0c7cc7304d744a726d23446a1082ca75a07b253e

SHA256
5b48dc6af8b20952c007277cdf0b0237b548ec1292b026be538ac11d63c2e099

SHA512
5cbd0f9913b167ab168d360ee887e373bbeba047f924a62966edb8be17742b9110dc385dbe2611d447b918239aa9c18668940c372175b482a16e23c1a5a37bcb

Download Submit
C:\Program Files (x86)\Gatherum\Gatherum.exe

Filesize
311KB

MD5
532a26887429ef38958e00a547145e42

SHA1
4790a4d80b07c2636c7ce6c16b2cb15354f40f5c

SHA256
a2811033fc287f766b230ebe85d45224d1d2a8914fe2e5802dbaa4976586b504

SHA512
6952d38bb43f87951f739a15cce39823bc97699597dc7a43944471edf8abe6887db12777fa64bc4975052addcdbc639ef56f53e4e2eafca9c7b02158ce561135

Download Submit
C:\Program Files (x86)\Gatherum\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
300c95ff95b52e8a02fec6bfcfa58225

SHA1
b646f89fcd463ad5c19889b4fea40540568b780c

SHA256
f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c

SHA512
9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

Download Submit
C:\Program Files (x86)\Gatherum\Microsoft.Win32.SystemEvents.dll

Filesize
94KB

MD5
089edcaae873c9371b2dc9a4399f62b9

SHA1
441686e76986ecf295e50e80a78dc093dc9f9a02

SHA256
c81a58bd27c74f91e26245c530c4cadc5425a1a1586886c6a5631eef9d81fde2

SHA512
6b88f9264fdbbb0585efa21940fc888c593862ebb3bd305890294f64b37a81967a8ab2fbba30aa3f5db2994c25c57929df1644e269be898b77c77d4c0181f943

Download Submit
C:\Program Files (x86)\Gatherum\System.Collections.Specialized.dll

Filesize
102KB

MD5
cc26e9e30ffab763a1e54c0ef3713382

SHA1
c3be6646b7a4576ebd7729dbf4dccbd1fc159d51

SHA256
0cbabb81eae22f4c07c6c846054d207ae3f25da15649eb7fa29e4e2cecd24db4

SHA512
c8e57fb70cfa7667f9a5484c99eedd0bf34004ee26e9642e99a6b90624caa804af571d8aaafa7e9b121550af58205f8ed197b4ddb928210d394ff0b4c1897149

Download Submit
C:\Program Files (x86)\Gatherum\System.Collections.dll

Filesize
254KB

MD5
92063926c04f2e4bf5b5fde16542831d

SHA1
e7be34eaff2d3d8796911d21f1fdbb93bf231dec

SHA256
9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541

SHA512
e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

Download Submit
C:\Program Files (x86)\Gatherum\System.ComponentModel.EventBasedAsync.dll

Filesize
46KB

MD5
333639248121fb67d18323613a8203ea

SHA1
0cee5f7d46596239b833b3b30dccde27b0136959

SHA256
4c97d7bc0742faaa52ba86018b040aac44ddfc88a5835f9e6a659e03b4558999

SHA512
714fcb7299abcb26100b5f4103834c11c58f535ee9853fca2bcb22f43a3d1e7608d6ccae2dcc93d1687a4f1c8b521afe683d537f70f858681e62fff2d79c4acb

Download Submit
C:\Program Files (x86)\Gatherum\System.ComponentModel.Primitives.dll

Filesize
78KB

MD5
1c59c00ab0850af4b4d2bafd6be47db3

SHA1
4c6185b2f42987e25a5fdf2aa30cf4150de25d5b

SHA256
133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b

SHA512
8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

Download Submit
C:\Program Files (x86)\Gatherum\System.ComponentModel.TypeConverter.dll

Filesize
726KB

MD5
f6f78df8a3ef64639ac0cb7de24ed66b

SHA1
384422c0ceb6bb6870c4f7d9074e9c78d33e4c0c

SHA256
88129c110d748f7c8ef8a923f68cd26d39e0505b49bf5cc10cbd23b92f1a00a3

SHA512
ed63f75e3477196b5308c42f259c0294a29ef5edf6eb0df4f8268be3f0495b9cfd8ca3467bc1574db142571c368940468bb84d14c26aaccacd6eee66ddd98403

Download Submit
C:\Program Files (x86)\Gatherum\System.Diagnostics.FileVersionInfo.dll

Filesize
46KB

MD5
1daf75cc369569182bbdb664eb8cb4c7

SHA1
ec0ff43694f0027a469d31221b591bff2ef29d69

SHA256
92ae8401342fd8484e749c65a7726a0f5bff69346ad4e96026bfa063ff567b8b

SHA512
9d0ee9b59354f721136a1631e46d395b763f755b212e44daea5c62a91b4c5edfd218587c8aa56db27f7efc7b9678c59ea822964f279a7837aa5e12f46be4e79b

Download Submit
C:\Program Files (x86)\Gatherum\System.Diagnostics.StackTrace.dll

Filesize
46KB

MD5
70c0d0120a96a30c980414f44bfe9d5e

SHA1
ad158543ae92c9b47e6290bab86b4cb5511b7029

SHA256
318eb3af0fda576d8094404185690b9570d576ea56e85c47251769c09de8035c

SHA512
42e9e048668b491a7fce4d5da6a2690f386c9d4d847b7ce0b2c70f743f615dc9917eafa5cc3d94f4e5803abe65d892c4f89d88ce8531b7d3c2b8c536d7d224da

Download Submit
C:\Program Files (x86)\Gatherum\System.Diagnostics.TraceSource.dll

Filesize
142KB

MD5
fe6a4b96e144131788108c8396a849eb

SHA1
40e6e5d03cfe036645ae854d5a2262faec6bed32

SHA256
22365ee4e3ba3c991d495e41f92e29bf6ddb38a48c44f55651271b80ee62b6d1

SHA512
61644c0e970dd6a6ff697b110bf99962931dd94deda5a966ea0fded3d23cba7433b802656295e04f1a95421774ea3c838f0a642d26b5e46ae6c05becb52eb7f1

Download Submit
C:\Program Files (x86)\Gatherum\System.Drawing.Common.dll

Filesize
1.5MB

MD5
e4715322db624dc52947a42ac67757ab

SHA1
ba0b0850142ecc3910927d6f2e5781b896d7d442

SHA256
75b1e772a4355145364121af00e5b5cf06c7212aa53d662fdc996bc11e8092a9

SHA512
3c86d44eb209a3a1f2001968a2b139e532a0513fd2decff04aa1bf8b30b6202c70fc0e7ac8b22ace563023671259cd74cf65062132e7f1b97d3580621686b05a

Download Submit
C:\Program Files (x86)\Gatherum\System.Drawing.Primitives.dll

Filesize
130KB

MD5
b5ca10a41cc865048491f617678722a9

SHA1
afe171d9d676b78983b802e18ef8e00927073c64

SHA256
cbe9fbb1d1e4850460854474ffd8c01ddcc756dcb33a86d1674c0cb2e2a0b026

SHA512
2afdce56b7eec6deb82f8b2d5ec3029b5a0ee1e8bbf2e0ff9a0a5310bf265ddcdf63660546b4dbcc3c5fb0cba3cbb94f2408fe5cb4d14dbe0e74aba6dd5a2192

Download Submit
C:\Program Files (x86)\Gatherum\System.IO.Compression.Brotli.dll

Filesize
82KB

MD5
4cde4fcd6f41f0d6d400c1d66f391538

SHA1
7c4a13f37c8d20fbe60c5b612107bd0242b68e26

SHA256
51bc8800f8579a14d1edf0f650c9a5d828ef9d96532d7dd304a4394fa9cfd641

SHA512
d7b444ec7f230c3104fdd98c60af9de998a85e622e0c8ce3471a3809d9ba8bb368d7827800fb177ac97f0ce3feb3ad2292a77d41b8c36bc99b2df1263feb8735

Download Submit
C:\Program Files (x86)\Gatherum\System.IO.Compression.Native.dll

Filesize
809KB

MD5
68deb864299c12cd26aea44c39aa665b

SHA1
03613118a674e115c23b3eae354805e9e41bb34c

SHA256
1d58d2b17d468651e17870876029dbd3f68d6ba74b18a75f148581eaddc9c1b1

SHA512
4ad6b2c38338469de0f0247152f773f6886ea5396aca5cbc178dc2e894aeccc1296fd02ffec1d1a266bc548a490a8afc5ba383087bd89567957980472318ccad

Download Submit
C:\Program Files (x86)\Gatherum\System.IO.Compression.dll

Filesize
258KB

MD5
e11feb9fb874d60b76c2ad7a5fef7ac8

SHA1
e7622bad558fd695442b3ecfeea8f706601c0310

SHA256
3f5083bf4404c5969557e6c19a5b87d7db5bef2ee10fd86d775b6a96b357232a

SHA512
dd3e75b0a86ee2240ebf37d728f467b11fd4a25e4b7fdbc8f4c5b4180bcd0e8c1a1695f5cb72133da428f791cb922699cc3a325e05c44bd7931c141b07504587

Download Submit
C:\Program Files (x86)\Gatherum\System.Memory.dll

Filesize
154KB

MD5
7e999da530c21a292cec8a642127b8c8

SHA1
6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f

SHA256
3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4

SHA512
a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

Download Submit
C:\Program Files (x86)\Gatherum\System.Numerics.Vectors.dll

Filesize
15KB

MD5
b7adf99da15738c602df256e8a1aac4a

SHA1
ff98005dfcf40f876b618a599f227397f36915df

SHA256
2466f7df763b191a6b4a536eae1016394d81e175fc53cefe56b8ce27459412af

SHA512
8eb34d00f8149d688bd5efe2ffdc834f669fa8c30d4c265814647de78a55502805104ccc3682010b246d26d805004b188ab19ad59fc2e866103bbe191e2225ad

Download Submit
C:\Program Files (x86)\Gatherum\System.Private.CoreLib.dll

Filesize
12.6MB

MD5
805cf170e27dd31219a6b873c17dce88

SHA1
ac90fa4690a8b54b6248dcb4c41a2c9a74547667

SHA256
ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0

SHA512
fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

Download Submit
C:\Program Files (x86)\Gatherum\System.Runtime.InteropServices.dll

Filesize
94KB

MD5
49c86e36b713e2b7daeb7547cede45fb

SHA1
75fe38864362226d2cce32b2c25432b1fd18ba37

SHA256
756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d

SHA512
a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

Download Submit
C:\Program Files (x86)\Gatherum\System.Runtime.dll

Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
C:\Program Files (x86)\Gatherum\System.Security.Cryptography.Csp.dll

Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
C:\Program Files (x86)\Gatherum\System.Security.Cryptography.dll

Filesize
2.0MB

MD5
75f18d3666eb009dd86fab998bb98710

SHA1
b273f135e289d528c0cfffad5613a272437b1f77

SHA256
4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e

SHA512
9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

Download Submit
C:\Program Files (x86)\Gatherum\System.Threading.Thread.dll

Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
C:\Program Files (x86)\Gatherum\System.Threading.dll

Filesize
82KB

MD5
32aa6e809d0ddb57806c6c23b584440e

SHA1
6bd651b9456f88a28f7054af475031afe52b7b64

SHA256
e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d

SHA512
fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

Download Submit
C:\Program Files (x86)\Gatherum\System.Windows.Forms.Primitives.dll

Filesize
2.9MB

MD5
8129c2d72bcba8b50576e7c43e558832

SHA1
f4892f78d2496f3a2e1fa2380ff68fbeb62e2dca

SHA256
5794a3996a0b4ab9cb13f3de0f87d50462615a7d0eb1d243d9324a682c1b58cb

SHA512
40fafbf9590d2b2c8f487f44708e9e97ddce03b1487be5c7cb3d4c92bdb7100a98aebada379f63003f0dd9d447ee2b0b9dfa0b057320ac05f7f77b31c5ffa97d

Download Submit
C:\Program Files (x86)\Gatherum\System.Windows.Forms.dll

Filesize
12.9MB

MD5
a51632facb386d55cc3bc1f0822e4222

SHA1
59144c26183277304933fd8bb5da7d363fcc11fa

SHA256
efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e

SHA512
2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

Download Submit
C:\Program Files (x86)\Gatherum\clrjit.dll

Filesize
1.7MB

MD5
8b81a3f0521b10e9de59507fe8efd685

SHA1
0516ff331e09fbd88817d265ff9dd0b647f31acb

SHA256
0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb

SHA512
ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

Download Submit
C:\Program Files (x86)\Gatherum\coreclr.dll

Filesize
4.8MB

MD5
9369162a572d150dca56c7ebcbb19285

SHA1
81ce4faeecbd9ba219411a6e61d3510aa90d971d

SHA256
871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5

SHA512
1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

Download Submit
C:\Program Files (x86)\Gatherum\hostfxr.dll

Filesize
342KB

MD5
16532d13721ba4eac3ca60c29eefb16d

SHA1
f058d96f8e93b5291c07afdc1d891a8cc3edc9a0

SHA256
5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303

SHA512
9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

Download Submit
C:\Program Files (x86)\Gatherum\hostpolicy.dll

Filesize
388KB

MD5
a7e9ed205cf16318d90734d184f220d0

SHA1
10de2d33e05728e409e254441e864590b77e9637

SHA256
02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62

SHA512
3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ia0f2rbl.1dv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\LangDLL.dll

Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\ioSpecial.ini

Filesize
1KB

MD5
dc80e84cfb074df6616847a95565b3cf

SHA1
726e3685d22ab9467676fde77953fedde902d200

SHA256
48e4b4c1ba30827e799a4392b80b7dc0bd33bf6a574d4870083eb04fd43b67e6

SHA512
2a1e17ef6b819d978f656a9b480777ebca9c80311cbd8b280eb72581da5871a3dd4b9af0d502adc6e4f11166f736ab4105b2fc47979c0a4d1e33a68f400abe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\ioSpecial.ini

Filesize
1KB

MD5
d84c9f93662a76f593355e6bbb033bde

SHA1
57ac13a3a97fe1986d50904597f61692195a0b7a

SHA256
e0426128e486de4edbf24db671f323528dd46ce91ff8ffe3cb906dc10d39a7e6

SHA512
f438a2549b8a29a00bd3e919dc47b7b05d0a7258f69b8cc450805bf5a1895a23a1f39fc10d9f06d50df7370f693e4e0f299ec50e0366e9b9d7a6a07ecb15e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9BC5.tmp\ioSpecial.ini

Filesize
1KB

MD5
a688aa2cfc561ce0842c09142ce0b7ed

SHA1
4def8befef4bd282e31bd84b2a22837ec8f3494d

SHA256
ebe680b170943173620bfb8991a4928451dcd4a11e530cd03612a08317148942

SHA512
2453a7da17dc678bf3b777f3aa4cbd1450c81b90a62089894feb8ccffc494c45385a4e712aa6ffa6444872a22567086a545281ea566e3c33005d1f92da13d5a0

Download Submit
memory/1952-730-0x000002A02A6D0000-0x000002A02A6F2000-memory.dmp

Filesize
136KB

Download
memory/2672-785-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3512-778-0x0000000000770000-0x0000000000779000-memory.dmp

Filesize
36KB

Download
memory/3512-780-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/3512-781-0x00007FFCCA610000-0x00007FFCCA805000-memory.dmp

Filesize
2.0MB

Download
memory/3512-783-0x0000000076800000-0x0000000076A15000-memory.dmp

Filesize
2.1MB

Download
memory/4324-773-0x0000000003840000-0x0000000003C40000-memory.dmp

Filesize
4.0MB

Download
memory/4324-774-0x0000000003840000-0x0000000003C40000-memory.dmp

Filesize
4.0MB

Download
memory/4324-775-0x00007FFCCA610000-0x00007FFCCA805000-memory.dmp

Filesize
2.0MB

Download
memory/4324-777-0x0000000076800000-0x0000000076A15000-memory.dmp

Filesize
2.1MB

Download