» {d524939d-dcea-4579-a3d0-67758ac2ff8e}t.sys
Overview
Analysis
File Details
Behaviors (1)

{d524939d-dcea-4579-a3d0-67758ac2ff8e}t.sys

marketresearchhelper

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {d524939d-dcea-4579-a3d0-67758ac2ff8e}t.sys by marketresearchhelper has been detected as adware by 9 anti-malware scanners. It runs as a Windows kernel mode device driver named “{d524939d-dcea-4579-a3d0-67758ac2ff8e}t”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by marketresearchhelper)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

9a4791e02215c4e62b436772a1a13ef4

SHA-1:

17c5286dd4b55e5fe7eed417dd67ee4336a9009b

Scanner detections:

9 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/25/2024 2:36:34 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.14102

Dr.Web

Trojan.BPlug.117

9.0.1.0275

IKARUS anti.virus

AdWare.SwiftBrowse

t3scan.1.7.5.0

McAfee

Artemis!9A4791E02215

5600.6990

NANO AntiVirus

Trojan.Win32.BPlug.dcxxfx

0.28.2.61721

Reason Heuristics

PUP.marketresearchhelper.k

14.10.2.0

Trend Micro House Call

Suspicious_GEN.F47V0817

7.2.275

VIPRE Antivirus

Trojan.Win32.Generic

32486

Zillya! Antivirus

Adware.Yotoon.Win64.2

2.0.0.1899

File size:

54 KB (55,248 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win32 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{d524939d-dcea-4579-a3d0-67758ac2ff8e}t.sys

Digital Signature

Signed by:

marketresearchhelper

Authority:

VeriSign, Inc.

Valid from:

10/6/2013 6:00:00 PM

Valid to:

10/7/2014 5:59:59 PM

Subject:

CN=marketresearchhelper, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=marketresearchhelper, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

688762C9A09401488B09D9F72D24894B

File PE Metadata

Compilation timestamp:

1/30/2014 5:46:38 PM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:VebP7EDNtMTw/RWDjR/McKV5qEXGBJgxgZ+4AOmvtnBU6+RREt:4P7EJSTukuzTrGYs+JNBUtR4

Entry address:

0xA73E

Entry point:

8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, CA, E3, FF, FF, CC, CC, B4, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 84, AB, 00, 00, 94, 90, 00, 00, A0, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BA, AB, 00, 00, 80, 90, 00, 00, AC, A7, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D6, AB, 00, 00, 8C, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A6, AB, 00, 00, 92, AB, 00, 00, 00, 00, 00, 00, C2, AB, 00, 00, 00, 00, 00, 00, AC, A8, 00, 00, C4, A8, 00, 00, D6, A8... 
[+]

Entropy:

6.3494

Code size:

36.3 KB (37,120 bytes)

Driver

Display name:

{d524939d-dcea-4579-a3d0-67758ac2ff8e}t

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {d524939d-dcea-4579-a3d0-67758ac2ff8e}t.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.