» yhdh.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

yhdh.exe

SuperPlusRadio v2.1V03.03

Blondie Project (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application yhdh.exe, “SuperPlusRadio v2.1V03.03 exe” by Blondie Project (Bright Circle Investments) has been detected as adware by 21 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is distributed as part of the Brightcircle group of browser-extensions.

File name:

yhdh.exe

Publisher:

RadioCanyonv2V03.03 (signed by Blondie Project (Bright Circle Investments Ltd))

Product:

SuperPlusRadio v2.1V03.03

Description:

SuperPlusRadio v2.1V03.03 exe

Version:

1000.1000.1000.1000

MD5:

d2f47d15c532bed75fc1f0f7b0aaa85d

SHA-1:

076ac466eb5b071d17147b5ee40751f004685eaf

SHA-256:

e7478507b4c175db933056d2e6582703eed78d8b3dfa2c0bd22ae8571eaed857

Scanner detections:

21 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage). Distributed through the Brightcircle investments brand.

Analysis date:

4/27/2024 1:25:50 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Application.Heur.8v1@mC3mXWlO

701

AhnLab V3 Security

PUP/Win32.CrossRider

2015.03.04

Avira AntiVirus

ADWARE/CrossRider.Gen7

7.11.213.102

avast!

Win32:Malware-gen

2014.9-150313

AVG

Generic

2016.0.3179

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.1536

Bitdefender

Gen:Application.Heur.8v1@mC3mXWlO

1.0.20.325

Comodo Security

Application.Win32.Plush.GRI

21286

ESET NOD32

Win32/Toolbar.CrossRider.BV potentially unwanted (variant)

9.11265

F-Secure

Gen:Application.Heur.8v1@mC3mXWlO

11.2015-06-03_6

G Data

Gen:Application.Heur.8v1@mC3mXWlO

15.3.25

herdProtect (fuzzy)

variant of cyiksbqp.exe (Adware)

2015.6.12.20

Kaspersky

not-a-virus:WebToolbar.Win32.CrossRider

14.0.0.2355

Malwarebytes

PUP.Optional.SuperPlusRadio.A

v2015.03.06.05

MicroWorld eScan

Gen:Application.Heur.8v1@mC3mXWlO

16.0.0.195

Panda Antivirus

Trj/Genetic.gen

15.03.06.05

Qihoo 360 Security

Win32/Virus.Adware.a87

1.0.0.1015

Quick Heal

PUA.BrightCircle.OD6

3.15.14.00

Reason Heuristics

Adware.BrightCircle.Task

15.3.6.5

Sophos

Generic PUA AJ

4.98

VIPRE Antivirus

Crossrider

38108

File size:

1.9 MB (2,034,648 bytes)

Product version:

1000.1000.1000.1000

Original file name:

SuperPlusRadio v2.1V03.03.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\yhdh.exe

Digital Signature

Signed by:

Blondie Project (Bright Circle Investments Ltd)

Authority:

COMODO CA Limited

Valid from:

12/15/2014 4:00:00 PM

Valid to:

12/16/2015 3:59:59 PM

Subject:

CN=Blondie Project (Bright Circle Investments Ltd), O=Blondie Project (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0903CC287C7EEA81D3C21DBB234D320C

File PE Metadata

Compilation timestamp:

3/3/2015 3:05:14 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:wmqAPUp+JrgduiHvLijSgpS3ST16qZ1V1DzD:wpAPUUMPPLijSS6+

Entry address:

0xF9DB1

Entry point:

E8, 5D, FD, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 85, F6, 78, 09, E8, 90, FE, 00, 00, 3B, 30, 7C, 07, E8, 87, FE, 00, 00, 8B, 30, E8, 7A, FE, 00, 00, 8B, 04, B0, 5E, 5D, C3, 55, 8B, EC, 56, E8, 83, 5C, 00, 00, 8B, F0, 85, F6, 75, 07, B8, 10, 3E, 56, 00, EB, 26, 53, 57, 33, FF, BB, 86, 00, 00, 00, 39, 7E, 24, 75, 1B, 6A, 01, 53, E8, 9D, 2E, 00, 00, 59, 59, 89, 46, 24, 85, C0, 75, 0A, B8, 10, 3E, 56, 00, 5F, 5B, 5E, 5D, C3, FF, 75, 08, 8B, 76, 24, E8, 90, FF, FF, FF, 50, 53, 56, E8, F4, EA... 
[+]

Entropy:

6.8698

Code size:

1.2 MB (1,208,320 bytes)

Scheduled Task

Task name:

YHDH

Trigger:

Logon (Runs on logon)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ip-184-168-221-47.ip.secureserver.net (184.168.221.47:80)

Remove yhdh.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.