PUP.ClassroomSpy
Table of Contents
Analysis Report
General information
| Family Name: | PUP.ClassroomSpy |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1f3abbdbd578cf00888e5ac5b4f0e4df
SHA1:
5ad64f0fd3ac33d43f01fcf8251406f0e589ce08
File Size:
5.34 MB, 5342416 bytes
|
|
MD5:
2ef4e7f7c1ec5fa583c87f0f86e5b995
SHA1:
efe83d11aff2f17be87d4ada0e04a1105982af51
File Size:
5.32 MB, 5321944 bytes
|
|
MD5:
24beebbe8260e26b4b595bf78140048f
SHA1:
b80145abdd3453ea8db08e1bb37c7118754bc65c
File Size:
5.32 MB, 5320920 bytes
|
|
MD5:
cb7fd6e88641b243730fc825856f8a0e
SHA1:
9c28afe73b3db7c07af7292a6e3da76816a0f6d8
File Size:
5.34 MB, 5342416 bytes
|
|
MD5:
cd4b87ba2e7d3fc9c94f218b1c6722e9
SHA1:
56490b36d4aff2a4c2a4f1cd6c3d490d5d8b96c9
SHA256:
7C14E367722043C9BD50853D92B83A849BF38CCBE3AF1EFAF1D4DF80E597951E
File Size:
5.32 MB, 5321936 bytes
|
Show More
|
MD5:
28747f562e376aafb79ffbc85051e1c5
SHA1:
7b8dc85c6f8654f45c464bf42159be282dbc539f
SHA256:
F5D81A7DE7705D4602B2BC71E92C6E9A4EE7A46DA890EFCB763DFB15202937BD
File Size:
5.34 MB, 5342536 bytes
|
|
MD5:
9e9b49b8904c6bc7ee1457a13d1453c7
SHA1:
d244a0915c629a73d77183a919e2d9fb6cce09b6
SHA256:
F5D9EB6FD29BD003F9F1B78FD7F33015BB9BD74D318DC3A8B02A2269122CD6BC
File Size:
4.83 MB, 4827344 bytes
|
|
MD5:
5d0131c9e8296628fc7bf34641f819d6
SHA1:
a22a408f39331b99afbc90b5fdc3a5c1bdf87f74
SHA256:
EA3BD141C3DA66F0D66B315596E2920F75F7AD49A9107D7056D1A9964778F521
File Size:
2.96 MB, 2960776 bytes
|
|
MD5:
f13aa1093781bd725687439b8935980f
SHA1:
6165a7a0d1ec262b3b06630afe84f3579f858788
SHA256:
74438DDD21AFA116951F68966A2E9BDB43D7A34CF8CB87751AE3EEBD0F27AA3F
File Size:
5.33 MB, 5332176 bytes
|
|
MD5:
66a3655163bf4ab535645fb845f6aed8
SHA1:
ec934be7011253a6afb03dc381ebe6326458fd7d
SHA256:
A67F64C4E661758F115024D15C078271CA3171E626554E08FA65F36D86566044
File Size:
5.32 MB, 5321936 bytes
|
|
MD5:
4a6b6611a57430e0db777049646fe08b
SHA1:
1dc8e830c2327a5192f70d9f3935f518759814a3
SHA256:
CFE204CAC3520A730E7EC357A4763022B331D2942E3A4760CA2B8366A2D451EA
File Size:
4.07 MB, 4069584 bytes
|
|
MD5:
0d17081c8659aefe54608ae09ce2c3bc
SHA1:
4175348a0adba5bac665ba10b555847dc1170a1f
SHA256:
4A7CAAF28330F9C75E92167E32707976986645EB982940A4E67D76F5C65820BB
File Size:
5.33 MB, 5332296 bytes
|
|
MD5:
5cd498e9e3fd26a5a05098e6bd514172
SHA1:
78b7d2a77c39c435a02516e257cd76cd77cc0cf0
SHA256:
C0628A3CF0F59012C75DB692C431D55463FDA81F2DDF99AEA0C3FF69EEFC8738
File Size:
5.38 MB, 5380936 bytes
|
|
MD5:
21cde97e8e61fdfe78024cfa3b328c3e
SHA1:
86806b254372a10f3c089b7297f428254040f8ea
SHA256:
CDD92083FD3BDF73EFBB178E99C3795310C8AAFCA9D39A2133B6C7998FCC4576
File Size:
5.34 MB, 5342416 bytes
|
|
MD5:
93671ba25651e459fa2cbdf23b3a9e9c
SHA1:
c63bd5dfa2cdd9b6370632e9e55ba3baebf21300
SHA256:
2EBCFB69BB3EF6F081FFF11F1334C8CCC2F59891A2AD968912F858CC0F2AE053
File Size:
5.37 MB, 5370696 bytes
|
|
MD5:
03b74d66568a5f7f59f099d60ddd69ee
SHA1:
46409941546f95f7fe909833e6afccfad7fe750f
SHA256:
FA702A911528F975A83AC2B1A4EA9C7DE68D7241F520A3E77B27A1D6A6A4EC1E
File Size:
4.09 MB, 4094280 bytes
|
|
MD5:
89ea0394074751dab5d1c7fbf910d041
SHA1:
8d9520f3019a13c662846e99a2ccb4b85cfb04b7
SHA256:
C858C6E55D9FDAFE845293B7913E0EA671982E7795A72AED73A304B4A64C89B9
File Size:
5.32 MB, 5321936 bytes
|
|
MD5:
7c9c8e654158a9f994dbbe379c810b14
SHA1:
d84dda776b95e9dcecbb0986393cc6f3ebe45b26
SHA256:
5040EEE101AB79358F0A78C12288C8CB554DF6EB5544CF901B048B8FF83891E0
File Size:
4.07 MB, 4069584 bytes
|
|
MD5:
4e2f600b2dbc63f6b467ecf72bb63a08
SHA1:
d5fc738ef22eaa7d504c3b9b39397e4104154bf7
SHA256:
12BF3F0535A961CA868C15BCA33BE3DEEAA9D819A83A6737F787806C92A4DB6C
File Size:
5.32 MB, 5317856 bytes
|
|
MD5:
67b5061065cde07d06a5b3ffda42a6ea
SHA1:
3c85c895d8ba525253b3f3ddbd953e8168d58e1a
SHA256:
90E1B1DF4983B6ADADE31C6C0744EEDC0C69706EC6FC06088D41C780D6B1D1E3
File Size:
5.33 MB, 5329616 bytes
|
|
MD5:
7a972a776be0698cf92cf17dfbaf1f86
SHA1:
0fa84e04344c56c5062325259c897acc7df39a87
SHA256:
9FB86555B7EF485F41D67BE2135CF307D6873F1364C5BD58D150DF5FA78D9249
File Size:
5.38 MB, 5380936 bytes
|
|
MD5:
dbf3b6e6b411e7c30151e8b9bfebede6
SHA1:
9415b446ec250f5349d79e80ff7dcb27ac342307
SHA256:
DD729D35A933DAEA099F9D91DB5D74F1D51F3E9ACE6504EF8FA1A9BF4EDDC223
File Size:
5.32 MB, 5324496 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| EduIQ.com Damjan Kriznik s.p. | COMODO RSA Code Signing CA | Self Signed |
| EduIQ.com Damjan Kriznik s.p. | Sectigo Public Code Signing Root R46 | Root Not Trusted |
| EduIQ.com Damjan Kriznik s.p. | Sectigo Public Code Signing Root R46 | Root Not Trusted |
File Traits
- 00 section
- 2+ executable sections
- HighEntropy
- No Version Info
- packed
- UPX!
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 21,462 |
|---|---|
| Potentially Malicious Blocks: | 131 |
| Whitelisted Blocks: | 17,662 |
| Unknown Blocks: | 3,669 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
x
?
?
0
0
?
?
0
0
0
0
0
0
0
?
?
0
?
0
0
0
?
0
0
0
0
?
?
?
0
?
0
x
0
?
?
?
0
0
0
0
?
?
?
0
?
?
0
?
?
?
0
0
?
0
?
0
0
0
0
0
0
?
?
0
0
?
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
0
0
0
?
0
0
?
?
?
0
?
0
0
0
?
?
0
?
0
?
?
0
0
?
0
?
?
0
?
0
?
0
?
?
?
?
0
0
?
0
?
0
?
0
?
0
?
?
?
0
?
0
?
0
?
0
0
?
?
?
0
?
?
0
?
0
?
0
?
0
?
?
0
0
?
?
?
0
?
0
?
?
0
?
0
0
?
0
?
?
0
0
0
0
0
0
?
0
?
0
0
?
0
?
0
?
?
?
?
?
0
?
?
0
?
?
?
?
?
?
0
?
0
0
0
?
?
?
?
0
?
?
0
?
?
0
?
0
?
0
?
?
?
?
0
?
?
?
0
0
?
?
?
?
0
?
0
?
?
?
0
?
?
?
0
?
0
?
?
?
?
?
?
0
?
0
?
0
?
0
?
0
0
?
0
?
0
0
?
0
?
0
?
0
?
0
?
?
?
0
?
?
?
0
0
0
0
0
?
?
?
0
0
0
?
0
0
0
?
0
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
0
0
0
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
0
?
?
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
?
?
?
?
?
?
0
?
?
?
?
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
0
?
0
?
0
?
?
?
0
?
0
0
0
0
?
0
?
0
0
?
?
0
?
?
?
?
?
0
?
0
?
0
?
0
?
0
0
?
0
?
0
0
?
0
0
?
?
0
?
0
?
?
0
?
?
0
?
0
?
0
?
0
?
0
?
?
0
?
?
?
0
?
0
?
0
?
?
0
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
?
?
?
0
?
0
?
?
?
?
0
0
?
?
0
?
?
?
?
?
0
?
0
?
?
0
?
0
0
0
0
0
?
0
?
?
0
?
0
?
0
?
0
?
?
?
0
?
0
0
0
0
0
0
0
0
?
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
?
0
?
0
?
?
?
0
?
?
0
?
0
0
?
0
?
0
?
?
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
x
?
0
0
0
0
?
0
?
0
?
0
?
0
?
0
?
?
?
?
0
?
0
?
?
?
?
?
0
?
0
?
0
?
?
?
0
?
?
0
?
0
0
?
0
?
0
0
0
?
0
?
0
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
?
?
?
0
?
?
x
?
0
?
0
?
?
?
0
?
?
0
?
0
?
0
?
0
?
0
?
?
0
?
0
?
?
0
?
0
?
0
?
0
?
?
?
x
?
?
0
?
0
?
0
?
0
?
0
?
0
?
?
?
0
?
?
?
?
0
?
0
?
?
0
?
0
?
?
?
?
?
?
?
0
?
0
?
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
0
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
0
x
0
?
?
?
?
?
?
?
?
?
?
?
0
?
0
?
0
0
?
x
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
0
0
0
?
?
0
?
?
?
?
?
0
0
0
?
0
?
0
0
0
0
0
?
?
?
?
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
?
?
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
0
?
0
0
?
?
?
0
0
?
?
?
0
?
0
0
0
?
?
0
0
?
?
?
?
?
?
?
?
x
?
?
?
?
?
0
?
0
?
0
0
?
0
?
?
?
?
0
?
0
?
0
0
?
0
?
0
?
?
0
?
?
?
?
0
?
0
0
0
?
?
?
0
?
?
?
?
?
?
0
0
0
0
?
?
?
?
?
?
?
0
0
?
?
?
?
0
0
0
?
?
0
0
?
0
?
0
?
?
0
0
0
?
0
?
0
?
0
?
?
0
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
0
0
0
?
0
?
0
?
?
?
?
?
x
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
?
?
?
?
?
0
?
?
0
?
?
?
?
?
?
?
0
?
x
?
?
0
?
?
?
?
?
?
0
?
0
?
?
0
?
?
?
?
?
?
?
0
?
?
0
x
0
?
0
?
0
?
0
?
?
0
?
0
0
x
0
?
0
?
0
?
0
?
?
0
?
0
?
0
?
0
?
?
?
?
?
0
?
?
?
0
x
0
?
0
?
?
?
0
0
?
0
0
0
?
?
?
?
0
?
?
0
?
?
0
?
?
?
?
?
?
0
?
0
0
0
?
0
0
0
?
0
0
0
0
?
0
0
0
0
?
0
0
0
0
?
?
?
?
0
?
0
?
0
?
?
?
0
?
0
?
0
?
0
0
?
0
?
0
?
0
?
0
?
0
?
?
?
?
0
?
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
?
0
0
?
?
?
?
0
?
?
?
0
?
?
?
?
0
?
?
0
?
?
?
?
0
0
?
?
0
0
?
0
?
0
0
0
0
?
0
?
0
?
?
0
?
0
?
0
?
0
?
?
0
?
?
?
?
?
?
0
?
0
?
0
?
0
?
0
?
?
0
?
0
?
0
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
?
0
0
?
0
?
?
0
?
0
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
0
?
0
?
0
?
0
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
?
0
?
0
?
0
?
0
0
?
0
?
?
?
0
?
0
0
?
?
?
0
?
?
?
?
?
0
?
?
0
?
0
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
0
0
0
?
0
0
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
?
?
?
0
?
?
0
?
0
0
0
?
0
?
0
?
0
0
0
0
0
0
?
0
?
?
0
?
?
?
0
?
?
0
?
0
?
0
?
?
0
?
0
0
0
0
0
0
0
0
?
?
0
?
0
?
0
?
0
x
?
?
?
?
0
?
0
?
?
?
0
?
0
?
?
0
0
0
?
0
?
0
?
0
0
0
?
0
0
0
?
?
?
0
0
0
?
0
0
0
?
0
?
?
x
0
0
?
0
?
?
0
0
?
0
?
0
?
?
0
?
0
0
?
?
0
0
0
?
0
?
0
?
?
?
?
0
?
0
?
0
?
?
0
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
0
?
0
?
0
?
?
?
?
0
?
0
?
0
0
0
?
?
?
0
0
0
?
0
?
0
?
0
?
0
?
?
0
?
0
0
0
?
?
0
?
0
?
?
?
0
?
0
?
?
?
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
0
0
0
0
0
0
0
0
?
0
?
0
0
?
0
0
?
0
?
0
?
?
0
?
0
?
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
?
0
?
?
0
?
?
?
0
?
0
?
?
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
0
?
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
0
?
?
?
?
?
0
?
0
?
?
?
?
?
0
?
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
