home

nsp9bd3.tmp

Compete Inc

The file nsp9bd3.tmp by Compete Inc has been detected as a potentially unwanted program by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from fastc.us and multiple other hosts. While running, it connects to the Internet address c-0001.dc-msedge.net on port 80 using the HTTP protocol.
Publisher:
Compete Inc  (signed and verified)

Version:
3.2.4.4286

MD5:
0f6580b154dde96049274ad8eb616b1a

SHA-1:
9d4393894cc73e7195dfdc219b35ec0c4b8de6e9

SHA-256:
a95446965a376bbea0ca0bb7ee4a8106b871ab08040f35aca4d6996a0231036d

Scanner detections:
15 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 11:02:05 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Cpete.1916536
8.3.2.2

Baidu Antivirus
PUA.Win32.Compete
4.0.3.151030

Bkav FE
W32.HfsAdware
1.3.0.7383

Dr.Web
Adware.Compete.1
9.0.1.05190

ESET NOD32
Win32/Compete.C potentially unwanted application
7.0.302.0

G Data
Win32.Application.Agent.NLC0EI
15.10.25

IKARUS anti.virus
PUA.Compete
t3scan.1.9.5.0

Malwarebytes
PUP.Optional.Compete
v2015.10.30.04

McAfee
Artemis!0F6580B154DD
5600.6597

Reason Heuristics
PUP.Compete.Installer (M)
15.10.30.4

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.151028

Sophos
Generic PUA JN (PUA)
4.98

SUPERAntiSpyware
PUP.Compete/Variant
9539

VIPRE Antivirus
Compete
44896

Zillya! Antivirus
Adware.CroRi.Win32.3284
2.0.0.2480

File size:
1.8 MB (1,916,536 bytes)

Product version:
3.2.4.4286

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nsp9bd3.tmp

Digital Signature
Signed by:
Compete Inc

Authority:
Symantec Corporation

Valid from:
12/21/2014 7:00:00 PM

Valid to:
3/22/2018 7:59:59 PM

Subject:
CN=Compete Inc, O=Compete Inc, L=Boston, S=Massachusetts, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
0A6DDD60D9E6C4FAA56565923F8669C2

File PE Metadata
Compilation timestamp:
9/26/2011 9:21:38 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:Y6CEOqaGInegHyJYUd7GTX0rFPjsND11feChyx5dSEsHyFYKnboaMJxVt+l2x1Cm:/YLyrd7GrGPjsND11fSAyHnboaSrR

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9848

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file nsp9bd3.tmp has been seen being distributed by the following 2 URLs.

http://fastc.us/.../ci_setup_s.exe

http://fastdl1.us/.../ci_setup_s.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to mail.reconart.com  (199.79.48.60:443)

TCP (HTTP):
Connects to c-0001.dc-msedge.net  (13.107.12.50:80)

TCP (HTTP):
Connects to c-0001.c-msedge.net  (191.234.4.50:80)

TCP (HTTP):
Connects to a96-6-113-42.deploy.akamaitechnologies.com  (96.6.113.42:80)

Remove nsp9bd3.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.