Edit tour

Windows Analysis Report
setup.limagitox.x64.snap (1).exe

Overview

General Information

Sample Name:	setup.limagitox.x64.snap (1).exe
Analysis ID:	1345578
MD5:	e2f852b559885dbc1a64da5e7ff0f043
SHA1:	fb63f1bfbdf83582fa7e8da870c270cc75328034
SHA256:	6f3254911aeb4a09afb1ebc0be85cec244ab589f0eab193b60dc9771459aa3da
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Antivirus detection for URL or domain

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Sample file is different than original file name gathered from version info

Drops PE files

PE file contains sections with non-standard names

Queries keyboard layouts

Stores files to the Windows start menu directory

PE file contains more sections than normal

Creates or modifies windows services

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

setup.limagitox.x64.snap (1).exe (PID: 344 cmdline: C:\Users\user\Desktop\setup.limagitox.x64.snap (1).exe MD5: E2F852B559885DBC1A64DA5E7FF0F043)

setup.limagitox.x64.snap (1).tmp (PID: 5284 cmdline: "C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp" /SL5="$10486,95606558,832512,C:\Users\user\Desktop\setup.limagitox.x64.snap (1).exe" MD5: F00CB4FD7D4A9EE22EB27403DD7F65EC)

_setup64.tmp (PID: 2812 cmdline: helper 105 0x460 MD5: E4211D6D009757C078A9FAC7FF4F03D4)

conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FMSoft_uniGUI_runtime.exe (PID: 828 cmdline: C:\ProgramData\LimagitoX\ExtJS\FMSoft_uniGUI_runtime.exe MD5: 80C97563A3B1B3888ECCBBED50BD87C1)

FMSoft_uniGUI_runtime.tmp (PID: 1968 cmdline: "C:\Users\user\AppData\Local\Temp\is-EC44H.tmp\FMSoft_uniGUI_runtime.tmp" /SL5="$60086,8323918,421376,C:\ProgramData\LimagitoX\ExtJS\FMSoft_uniGUI_runtime.exe" MD5: 3C9CBEA4E15B07DD4547EF21CF99E1BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.tmedia.de

Avira URL Cloud: Label: phishing

Source: setup.limagitox.x64.snap (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-T3LL6.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-N1RJR.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-90QTD.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-9S6UH.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-60OQA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-Q06KG.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-4UBD0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-JUPDN.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-61TCG.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-GPEEL.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-16U2M.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-GINL4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-DDOOI.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-A4CDV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-EETEA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-403QA.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-EN29E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-59RLE.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-0G7IL.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-HHQ3U.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-MUG6F.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-JDBOV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-4RT0N.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-ICVVQ.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-ECMKE.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp	Directory created: C:\Program Files\LimagitoX File Mover\is-8VMPU.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SQ53H.tmp\setup.limagitox.x64.snap (1).tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BE771D4-E6A8-4371-B829-4B55D999694A}_is1

Jump to behavior

Source: setup.limagitox.x64.snap (1).exe

Static PE information: certificate valid

Source: setup.limagitox.x64.snap (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\sviluppo\ievision\ielib\ievision.pdb source: is-GINL4.tmp.2.dr

Source: is-EN29E.tmp.2.dr	String found in binary or memory: http://cknotes.com/chilkat-charsets-character-encodings-supported/.
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: is-HHQ3U.tmp.2.dr	String found in binary or memory: http://limagito.com/file-mover-downloads/)
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pngdelphi.sourceforge.net
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://synedit.sourceforge.net
Source: is-GINL4.tmp.2.dr	String found in binary or memory: http://www.ImageEn.com0
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006C4000.00000004.00000020.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.IndyProject.org/
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoLight
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: is-EN29E.tmp.2.dr	String found in binary or memory: http://www.delphibasics.co.uk
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/License/BSD.EN.aspx
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2484043196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000003.2483425940.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000000.2485172609.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FMSoft_uniGUI_runtime.tmp.7.dr	String found in binary or memory: http://www.innosetup.com/
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000000.2482118134.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-PVQ3N.tmp.2.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mindworkshop.com
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2484043196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000003.2483425940.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000000.2485172609.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, FMSoft_uniGUI_runtime.tmp.7.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sencha.com/
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sencha.com/contact
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sencha.com/contact.
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sencha.com/legal/sencha-software-license-agreement
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tmedia.de
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.000000000246A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unigui.com/
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.unigui.com/(
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.00000000079C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.com
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.00000000079C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.com/license/free
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.00000000079C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: FMSoft_uniGUI_runtime.exe, 00000007.00000003.2482792717.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.exe, 00000007.00000002.3246726029.000000000221F000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3249280063.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3246836581.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MahdiSafsafi/delphi-detours-library
Source: FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000007EF7000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.00000000079C4000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.00000000073F4000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006710000.00000004.00001000.00020000.00000000.sdmp, FMSoft_uniGUI_runtime.tmp, 00000008.00000002.3264763449.0000000006E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icomoon.io/app
Source: setup.limagitox.x64.snap (1).exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-HHQ3U.tmp.2.dr	String found in binary or memory: https://limagito.com/file-mover-downloads/)
Source: is-GINL4.tmp.2.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-9S6UH.tmp.2.dr	String found in binary or memory: https://www.eurekalog.com/support.php?department=
Source: setup.limagitox.x64.snap (1).exe, 00000000.00000003.1990860244.0000000002700000.00000004.00001000.00020000.00000000.sdmp, setup.limagitox.x64.snap (1).exe, 00000000.00000003.1991253077.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, setup.limagitox.x64.snap (1).tmp, 00000002.00000000.1992936640.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: setup.limagitox.x64.snap (1).exe, 00000000.00000003.1990860244.0000000002700000.00000004.00001000.00020000.00000000.sdmp, setup.limagitox.x64.snap (1).exe, 00000000.00000003.1991253077.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, setup.limagitox.x64.snap (1).tmp, 00000002.00000000.1992936640.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: setup.limagitox.x64.snap (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: setup.limagitox.x64.snap (1).exe, 00000000.00000003.1990860244.00000000027F8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs setup.limagitox.x64.snap (1).exe
Source: setup.limagitox.x64.snap (1).exe, 00000000.00000002.3246871457.0000000000BD8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs setup.limagitox.x64.snap (1).exe
Source: setup.limagitox.x64.snap (1).exe, 00000000.00000000.1989358182.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs setup.limagitox.x64.snap (1).exe
Source: setup.limagitox.x64.snap (1).exe, 00000000.00000003.1991253077.000000007FE35000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs setup.limagitox.x64.snap (1).exe
Source: setup.limagitox.x64.snap (1).exe	Binary or memory string: OriginalFileName vs setup.limagitox.x64.snap (1).exe

Source: is-60OQA.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-9S6UH.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-Q06KG.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-16U2M.tmp.2.dr	Static PE information: Number of sections : 12 > 10
Source: is-N1RJR.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-90QTD.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Source: setup.limagitox.x64.snap (1).tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-T3LL6.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-N1RJR.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: is-N1RJR.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: is-90QTD.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: is-90QTD.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: FMSoft_uniGUI_runtime.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: FMSoft_uniGUI_runtime.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: C:\Users\user\Desktop\setup.limagitox.x64.snap (1).exe

File read: C:\Users\user\Desktop\setup.limagitox.x64.snap (1).exe

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
setup.limagitox.x64.snap (1).exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.limagitox.x64.snap (1).exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Windows Analysis Report
setup.limagitox.x64.snap (1).exe