home

{9d5747ee-0448-4681-8337-1555de75a3b6}w64.sys

sizlsearch

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {9d5747ee-0448-4681-8337-1555de75a3b6}w64.sys by sizlsearch has been detected as adware by 26 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{9d5747ee-0448-4681-8337-1555de75a3b6}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by sizlsearch)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
94807af89f91a0043f55c676f387dd19

SHA-1:
2e5d8f31943379b51562f2b18e3f1d16bfede0df

SHA-256:
dd33c84c3ee49df2a7fb482d85c8d24f1d606630052482b83b920c79e491de8d

Scanner detections:
26 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/24/2024 5:29:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.BV
359

Agnitum Outpost
Trojan.BPlug
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.08.26

avast!
Win32:BrowseFox-FZ [PUP]
2014.9-160210

AVG
Webet
2017.0.2837

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16210

Bitdefender
Adware.SwiftBrowse.BV
1.0.20.205

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-284
0.98/21411

Dr.Web
Trojan.BPlug.123
9.0.1.041

Emsisoft Anti-Malware
Adware.SwiftBrowse.BV
8.16.02.10.12

ESET NOD32
Win64/Riskware.NetFilter (variant)
10.10531

F-Prot
W64/A-abca7297
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.BV
11.2016-10-02_4

G Data
Adware.SwiftBrowse.BV
16.2.24

IKARUS anti.virus
AdWare.SpadeCast
t3scan.1.6.1.0

McAfee
Artemis!F4C51721FD65
5600.6493

MicroWorld eScan
Adware.SwiftBrowse.L
17.0.0.123

NANO AntiVirus
Riskware.Win64.NetFilter.dfxhug
0.28.2.62483

nProtect
Adware.SwiftBrowse.L
14.05.23.01

Reason Heuristics
PUP.Yontoo.sizlsearch (M)
16.2.10.12

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.NetFilter/Variant
9332

Trend Micro House Call
Suspicious_GEN.F47V1001
7.2.41

VIPRE Antivirus
Trojan.Win32.Generic
29520

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1901

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}w64.sys

Digital Signature
Signed by:
sizlsearch

Authority:
VeriSign, Inc.

Valid from:
11/13/2013 4:00:00 PM

Valid to:
11/14/2014 3:59:59 PM

Subject:
CN=sizlsearch, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=sizlsearch, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
14A03B7644CA6A74D050BBD6188EAA95

File PE Metadata
Compilation timestamp:
9/22/2014 12:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:l67G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3PXlc:4FID6EGnLA8AFJTNEVmDPXC

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3929

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{9d5747ee-0448-4681-8337-1555de75a3b6}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.