home

{7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys

RockResult

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys by RockResult has been detected as adware by 21 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{7afe3a9e-a637-49a8-9084-bf73405b41b6}Gw64”.
Publisher:
StdLib  (signed by RockResult)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
27c53eff18c9f578ef1b508fa7330508

SHA-1:
32db3dbbb431f5f559014cb09ff57d32d33e58a2

SHA-256:
43c953228d9d9e8b42a9d906600db5464660deefffd1409185372ab6d23e3f3d

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/26/2024 1:49:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.BV
833

Agnitum Outpost
Riskware.NetFilter
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.25

AVG
Generic
2015.0.3311

Baidu Antivirus
Trojan.Win64.Riskware.bNetFilter
4.0.3.141025

Bitdefender
Adware.SwiftBrowse.BV
1.0.20.1490

Clam AntiVirus
Win.Adware.Swiftbrowse-284
0.98/21411

Dr.Web
hacktool program Tool.NetFilter.313
9.0.1.05190

Emsisoft Anti-Malware
Adware.SwiftBrowse.BV
8.14.10.25.06

ESET NOD32
Win64/Riskware.NetFilter (variant)
8.10461

Fortinet FortiGate
Riskware/NetFilter
10/25/2014

F-Prot
W64/A-abca7297
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.BV
11.2014-25-10_7

G Data
Adware.SwiftBrowse.BV
14.10.24

IKARUS anti.virus
PUA.RiskWare.NetFilter
t3scan.1.7.8.0

McAfee
Artemis!66D397A69072
5600.6967

MicroWorld eScan
Adware.SwiftBrowse.BV
15.0.0.894

nProtect
Adware.SwiftBrowse.BV
14.09.24.01

Reason Heuristics
PUP.RockResult.n
14.10.25.6

VIPRE Antivirus
Trojan.Win32.Generic
33410

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1913

File size:
47.6 KB (48,728 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys

Digital Signature
Signed by:
RockResult

Authority:
DigiCert Inc

Valid from:
6/10/2014 2:00:00 AM

Valid to:
6/15/2015 2:00:00 PM

Subject:
CN=RockResult, O=RockResult, L=Santa Monica, S=California, C=US

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0D2151DAC91D7B014A2AAC028842CAD8

File PE Metadata
Compilation timestamp:
9/22/2014 9:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:l/7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3ZFRMAf:RFID6EGnLA8AFJTNEVmDZoA

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{7afe3a9e-a637-49a8-9084-bf73405b41b6}Gw64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.