» ndsm.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

ndsm.exe

Microsoft .NET Framework

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable ndsm.exe, “aspnet_compiler.exe” has been detected as malware by 28 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Keyboard Inf.’. While running, it connects to the Internet address www.turktelekom.com.tr on port 80 using the HTTP protocol.

File name:

ndsm.exe

Publisher:

Microsoft Corporation* (Invalid match)

Product:

Microsoft® .NET Framework

Description:

aspnet_compiler.exe

Version:

4.0.30319.17929 built by: FX45RTMREL

MD5:

40c2e18015fb23094e398980db6cbccf

SHA-1:

0c2e1c8b65bf63340819c0220ec61ce8b46282f2

SHA-256:

f9f8e9abac1537e0fcf09374a390f7fa9e8228dd2df39cca6f2d08bac994916a

Scanner detections:

28 / 68

Status:

Malware

Analysis date:

1/21/2026 12:47:09 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1433529

1141

AhnLab V3 Security

Trojan/Win32.FakeWarn

2013.12.21

Avira AntiVirus

TR/Dropper.A.16689

7.11.121.4

avast!

Win32:Malware-gen

2014.9-131221

AVG

Generic35

2014.0.3619

Baidu Antivirus

Trojan.Win32.Dynamer

4.0.3.131221

Bitdefender

Trojan.GenericKD.1433529

1.0.20.1775

Dr.Web

Trojan.BtcMine.217

9.0.1.0355

Emsisoft Anti-Malware

Trojan.GenericKD.1433529

8.13.12.21.01

ESET NOD32

Win32/CoinMiner.HY (variant)

7.9190

Fortinet FortiGate

W32/FakeWarn.PGT!tr

12/21/2013

F-Secure

Trojan.GenericKD.1433529

11.2013-21-12_7

G Data

Trojan.GenericKD.1433529

13.12.22

IKARUS anti.virus

Trojan.Win32.Fakewarn

t3scan.2.2.29

K7 AntiVirus

Riskware

13.174.10588

Kaspersky

Trojan.Win32.FakeWarn

14.0.0.4590

Malwarebytes

Trojan.Dropper

v2013.12.21.01

McAfee

Artemis!40C2E18015FB

5600.7275

Microsoft Security Essentials

Trojan:Win32/Dynamer!ac

1.165.247.01

MicroWorld eScan

Trojan.GenericKD.1433529

14.0.0.1065

NANO AntiVirus

Trojan.Win32.BtcMine.cqkzjs

0.28.0.57029

Norman

Troj_Generic.RPMAI

11.20131221

Panda Antivirus

Trj/CI.A

13.12.21.01

Reason Heuristics

Unnamed.Threat.61

14.3.1.13

Trend Micro House Call

TROJ_GEN.R08OC0DL913

7.2.355

Trend Micro

TROJ_GEN.R08OC0DL913

10.465.21

Vba32 AntiVirus

Trojan.FakeWarn

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

24566

File size:

3.6 MB (3,738,570 bytes)

Product version:

4.0.30319.17929

Original file name:

aspnet_compiler.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\viberpc\ndsm.exe

File PE Metadata

Compilation timestamp:

11/23/2013 2:30:35 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.50

CTPH (ssdeep):

98304:eNxBvvXGcFatU857yMUmWVCTrPZpjznC7YRxfs:YxVvGckplarV4rPDznC4y

Entry address:

0x1000

Entry point:

68, D0, 01, 00, 00, 68, 00, 00, 00, 00, 68, F8, 26, 41, 00, E8, FC, 7F, 00, 00, 83, C4, 0C, 68, 00, 00, 00, 00, E8, F5, 7F, 00, 00, A3, FC, 26, 41, 00, 68, 00, 00, 00, 00, 68, 00, 10, 00, 00, 68, 00, 00, 00, 00, E8, E2, 7F, 00, 00, A3, F8, 26, 41, 00, E8, 7C, A7, 00, 00, E8, 30, A6, 00, 00, E8, 62, 98, 00, 00, E8, 9C, 91, 00, 00, E8, 08, 8C, 00, 00, E8, F1, 89, 00, 00, E8, 1C, 80, 00, 00, C7, 05, 01, E0, 40, 00, 06, 00, 00, 02, E8, 9F, A7, 00, 00, 50, 68, 40, F4, 40, 00, E8, 10, 6B, 00, 00, 68, 04, 27, 41... 
[+]

Entropy:

7.9957

Packer / compiler:

PKLITE32, 0x1.1

Code size:

43 KB (44,032 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Keyboard Inf.

Command:

C:\users\{user}\appdata\roaming\viberpc\ndsm.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to www.turktelekom.com.tr (195.175.254.2:80)

Remove ndsm.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.