home

{7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys

RockResult

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys by RockResult has been detected as adware by 21 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{7afe3a9e-a637-49a8-9084-bf73405b41b6}Gw64”.
Publisher:
StdLib  (signed by RockResult)

Product:
StdLib

Version:
1.4.3.1 built by: WinDDK

MD5:
04089cd62f63df3a6a8ea4532ef9ef50

SHA-1:
fa5c63c7ab3e4de31f50b5681ddaaad56f1b8660

SHA-256:
7c1c00a87498465c00e75948bb5cc2ad1cc169bd30acd7b7dc18bc836036a8fe

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/25/2024 7:51:08 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.BV
803

Agnitum Outpost
Riskware.NetFilter
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.26

AVG
Generic
2015.0.3347

Bitdefender
Adware.SwiftBrowse.BV
1.0.20.1640

Clam AntiVirus
Win.Adware.Swiftbrowse-284
0.98/19462

Dr.Web
hacktool program Tool.NetFilter.1
9.0.1.0261

Emsisoft Anti-Malware
Adware.SwiftBrowse.BV
8.14.11.24.07

ESET NOD32
Win64/Riskware.NetFilter (variant)
8.10467

Fortinet FortiGate
Riskware/NetFilter
11/24/2014

F-Prot
W64/A-abca7297
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.BV
11.2014-24-11_2

G Data
Adware.SwiftBrowse.BV
14.11.24

herdProtect (fuzzy)
variant of {7afe3a9e-a637-49a8-9084-bf73405b41b6}w64.sys (Adware)
2014.11.24.11

IKARUS anti.virus
PUA.RiskWare.NetFilter
t3scan.1.7.8.0

McAfee
Artemis!FAC418986EB2
5600.7003

MicroWorld eScan
Adware.SwiftBrowse.BV
15.0.0.984

nProtect
Adware.SwiftBrowse.BV
14.09.25.01

Reason Heuristics
PUP.RockResult.n
14.9.18.12

VIPRE Antivirus
Trojan.Win32.Generic
33436

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1921

File size:
43.6 KB (44,632 bytes)

Product version:
1.4.3.1

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{7afe3a9e-a637-49a8-9084-bf73405b41b6}gw64.sys

Digital Signature
Signed by:
RockResult

Authority:
DigiCert Inc

Valid from:
6/9/2014 9:00:00 PM

Valid to:
6/15/2015 9:00:00 AM

Subject:
CN=RockResult, O=RockResult, L=Santa Monica, S=California, C=US

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0D2151DAC91D7B014A2AAC028842CAD8

File PE Metadata
Compilation timestamp:
9/12/2014 8:33:02 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:fgLmaZF8aSQ7DwZmEhzg8ClFHeDrTdRfsQCa5075YLwidHWRMvd:Y5ZEQI8E7ClquaC759EbF

Entry address:
0xB064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, C6, 60, FF, FF, CC, CC, 38, B2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, B6, 00, 00, 60, 81, 00, 00, 28, B1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, B9, 00, 00, 50, 80, 00, 00, D8, B0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, BA, 00, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, BA, 00, 00, 00, 00, 00, 00, 86, BA, 00, 00...
 
[+]

Code size:
30.5 KB (31,232 bytes)

Driver
Display name:
{7afe3a9e-a637-49a8-9084-bf73405b41b6}Gw64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.