home

spd.exe

Savepath Deals

The application spd.exe by Savepath Deals has been detected as adware by 2 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 8000 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Publisher:
Savepath Deals  (signed and verified)

MD5:
7a88ecd38af86bbf167bfc747d4047ab

SHA-1:
77fc78052d23abe6ff2e6dbea755ac15cb8302b6

SHA-256:
bf1154f2d97b13c657d33a24556bc6763b4482a5eaf3de26622ff19ad87d05fc

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
4/20/2024 3:09:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SavepathDeals.D
14.9.9.14

File size:
2.1 MB (2,171,656 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\spd\bin\spd.exe

Digital Signature
Signed by:
Savepath Deals

Authority:
COMODO CA Limited

Valid from:
6/9/2014 7:00:00 PM

Valid to:
6/9/2016 6:59:59 PM

Subject:
CN=Savepath Deals, O=Savepath Deals, STREET=8923 W Sunset blvd, L=West Hollywood, S=CA, PostalCode=90069, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
56EA9CE76728F55E8F87B7F0683773B7

File PE Metadata
Compilation timestamp:
8/22/2014 3:21:28 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:nNw6mdISHh2ZG3XEoUo1jN9p/RKTIoZA8BElerk9j7:NL+ICh2ZG3UoUoxZf

Entry address:
0x12F907

Entry point:
E8, 91, 33, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 51, 51, 8D, 45, F8, 50, FF, 15, 9C, A0, 57, 00, 8B, 4D, F8, 8B, 45, FC, 81, C1, 00, 80, C1, 2A, 6A, 00, 68, 80, 96, 98, 00, 15, 21, 4E, 62, FE, 50, 51, E8, D1, 28, 00, 00, 85, D2, 7C, 0F, 7F, 07, 3D, 7F, D2, FF, 7F, 76, 06, 83, C8, FF, 89, 45, FC, 8B, 4D, 08, 85, C9, 74, 02, 89, 01, 8B, E5, 5D, C3, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 0C, 93, 5E, 00...
 
[+]

Entropy:
6.7281

Code size:
1.5 MB (1,541,120 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:8000/

Local host port:
8000

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to usrep.reimage.com  (184.72.227.197:80)

TCP (HTTP):
Connects to server-54-230-90-216.ind6.r.cloudfront.net  (54.230.90.216:80)

TCP (HTTP SSL):
Connects to ghs-vip-any-c46.ghs-ssl.googlehosted.com  (74.125.34.46:443)

TCP (HTTP SSL):
Connects to float.1534.bm-impbus.prod.nym2.adnexus.net  (68.67.152.167:443)

TCP (HTTP SSL):
Connects to float.1443.bm-impbus.prod.nym2.adnexus.net  (68.67.152.3:443)

TCP (HTTP SSL):
Connects to float.1396.bm-impbus.prod.nym2.adnexus.net  (68.67.152.92:443)

TCP (HTTP SSL):
Connects to ec2-54-241-128-122.us-west-1.compute.amazonaws.com  (54.241.128.122:443)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to ec2-54-193-81-28.us-west-1.compute.amazonaws.com  (54.193.81.28:443)

TCP (HTTP SSL):
Connects to ec2-50-18-221-188.us-west-1.compute.amazonaws.com  (50.18.221.188:443)

TCP (HTTP):
Connects to ec2-50-112-116-138.us-west-2.compute.amazonaws.com  (50.112.116.138:80)

TCP (HTTP SSL):
Connects to ec2-23-21-77-56.compute-1.amazonaws.com  (23.21.77.56:443)

TCP (HTTP SSL):
Connects to a23-3-96-25.deploy.static.akamaitechnologies.com  (23.3.96.25:443)

Remove spd.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.