» {26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64.sys
Overview
Analysis
File Details
Behaviors (1)

{26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64.sys

glindorus

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64.sys by glindorus has been detected as adware by 27 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by glindorus)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

de7bcd9f8e99ba56695e278440abacc0

SHA-1:

9640b4ca17972f3beb4dc848939f9528fac2341d

SHA-256:

9bc761664f85b3c073abdb53d4e45b387ef1c1166902b7b2556b46cf812f1bc3

Scanner detections:

27 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/23/2024 1:34:56 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.SwiftBrowse.CH

357

Agnitum Outpost

Trojan.BPlug

7.1.1

AhnLab V3 Security

Trojan/Win64.SwiftBrowse

2014.09.02

Avira AntiVirus

Adware/BrowseFox.aos

7.11.217.176

avast!

Win32:BrowseFox-FA [PUP]

2014.9-160212

AVG

Skodna.glindorus

2017.0.2835

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.16212

Bitdefender

Adware.SwiftBrowse.CH

1.0.20.215

Clam AntiVirus

Win.Adware.Swiftbrowse-497

0.98/20195

Dr.Web

Trojan.BPlug.123

9.0.1.043

Emsisoft Anti-Malware

Adware.SwiftBrowse.CH

8.16.02.12.02

F-Prot

W64/A-59c9c70a

v6.4.7.1.166

F-Secure

Adware.SwiftBrowse.CH

11.2016-12-02_6

G Data

Adware.SwiftBrowse.CH

16.2.25

IKARUS anti.virus

AdWare.SpadeCast

t3scan.1.6.1.0

K7 AntiVirus

Adware

13.201.15271

McAfee

Artemis!18982E9DAAF0

5600.6491

MicroWorld eScan

Adware.SwiftBrowse.CH

17.0.0.129

Norman

Adware.SwiftBrowse.CH

11.20160212

nProtect

Adware.SwiftBrowse.CH

15.03.16.01

Reason Heuristics

PUP.Yontoo.glindorus (M)

16.2.12.14

Sophos

BrowseSmart

4.98

SUPERAntiSpyware

Adware.BrowseFox/Variant

9328

Trend Micro House Call

Suspicious_GEN.F47V0613

7.2.43

Trend Micro

HS_BROWSEFOX.SM

10.465.12

VIPRE Antivirus

Trojan.Win32.Generic

30470

Zillya! Antivirus

Adware.Yotoon.Win64.3

2.0.0.1908

File size:

59.7 KB (61,112 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64.sys

Digital Signature

Signed by:

glindorus

Authority:

VeriSign, Inc.

Valid from:

9/18/2013 5:00:00 PM

Valid to:

9/19/2015 4:59:59 PM

Subject:

CN=glindorus, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=glindorus, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

38CA8426D3AC22743D3790B6CAB486B4

File PE Metadata

Compilation timestamp:

1/30/2014 4:45:30 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:Mot2dxF9O8ZF33iqiIy938bWp9XcfBvJkowidInpn:M9JRicy938ip9ea1jV

Entry address:

0xF064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, 2E, 20, FF, FF, CC, CC, 38, F2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, F6, 00, 00, 60, C1, 00, 00, 28, F1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, F9, 00, 00, 50, C0, 00, 00, D8, F0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, FA, 00, 00, 00, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, FA, 00, 00, 00, 00, 00, 00, 86, FA, 00, 00... 
[+]

Entropy:

5.9644

Code size:

46.5 KB (47,616 bytes)

Driver

Display name:

{26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {26d264d2-014c-4f07-bf2c-ebf9aed40cef}w64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.