ngen.exe

  • File Path: C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  • Description: Microsoft Common Language Runtime native compiler
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 5AE92211A53BD5C9006222AFA31C85B7
SHA1 71A0E425F96C8CB599AB8FF643F4D1765E111C2B
SHA256 EB88B9A51EA3730B4A95BBCB28E101C2A1736AD65E63AAE7ABAA09A8B37DDBEF
SHA384 36246D1E1CE1D00FE99EB86D32182E2A16221A1935B5943849CEB2B7818570ACDAEC72BB178F6BB3E5D9A17DEF7EAA13
SHA512 36C2B6D71A97AC714E0DA72FA48C9B385451E40F1ECCC1D59380FFC3D16F3B78AFBBA0775D8670C35A88A25FF2E8621D97B73B8F04EEC637B001F3849103B600
SSDEEP 3072:SaQwK0q3HAuLQl/PwvPsU2WXmJsTnz1N+2FWHOhubFm7QbResM:SPwK0q3HAjdPwnsU2WXRLz1N+OBubFmr
IMP 4AD0B1CAB8B0F51517768C87B067BA8A
PESHA1 EFC6B5AEB660033D205FD5DB8FDFC6F74A6EC523
PE256 0A01116F2FA06DD365F5B48195CDBC776878D834DEDDBE8BC4F795FA31E12625

Runtime Data

Usage (stdout):

Microsoft (R) CLR Native Image Generator - Version 4.8.4341.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Error: Unrecognized option --help
WARNING: This syntax is deprecated or you mis-typed your command.  Run "ngen /?" to display a list of the currently supported parameters.

Usage: ngen <action> [args] [/nologo] [/silent] [/verbose]
       ngen /? or /help

    /nologo    - Prevents displaying of logo
    /silent    - Prevents displaying of success messages
    /verbose   - Displays verbose output for debugging

Actions:
    ngen install <assembly name> [scenarios] [config] [/queue[:[1|2|3]]
        Generate native images for an assembly and its dependencies
        and install them in the Native Images Cache
        If /queue is specified compilation job is queued up.  If a priority 
        is not specified, the default priority used is 3.
    ngen uninstall <assembly name> [scenarios] [config]
        Delete the native images of an assembly and its dependencies from
        the Native Images Cache.
    ngen update [/queue]
        Update native images that have become invalid
        If /queue is specified compilation jobs are queued up.
    ngen display [assembly name]
        Display the ngen state
    ngen executeQueuedItems [1|2|3]
        Executes queued compilation jobs.
        If priority is not specified all queued compilation jobs are done.
        If priority is specified compilation jobs with greater or equal
        priority than the specified are done. (Short form: eqi)
    ngen queue [pause|continue|status]
        Allows the user to pause and continue the NGen Service, and to
        query its status.
    ngen createPDB <path to native image> <directory to store PDB>
                    [/lines  [<search path for managed PDB>] ]
        Generates a native PDB file for a native image that was previously
        generated by NGen.  The generated PDB file includes names of methods
        and ranges of IP offsets that map to those methods.
        If /lines is specified, then additional information is written to the
        PDB to map ranges of IP offsets to source file line numbers.  /lines
        requires access to the managed PDB generated by the language compiler.
        <search path for managed PDB> may optionally be specified to help NGen
        find the managed PDB

Scenarios:
    /Debug          - Generate images that can be used under a debugger
    /Profile        - Generate images that can be used under a profiler
    /NoDependencies - Generate the minimal number of native images
                      required by this scenario

Config:
    /ExeConfig:<path to exe> - Use the configuration of the specified
                 executable assembly
    /AppBase:<path to appbase directory> - Use the specified directory as
                 the appbase

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ngen.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4341.0 built by: NET48REL1LAST_C
  • Product Version: 4.8.4341.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/eb88b9a51ea3730b4a95bbcb28e101c2a1736ad65e63aae7abaa09a8b37ddbef/detection

File Similarity (ssdeep match)

File Score
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe 74

Possible Misuse

The following table contains possible examples of ngen.exe being misused. While ngen.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_proc_wrong_parent.yml - '\ngen.exe' DRL 1.0
sigma proc_creation_win_susp_svchost.yml - '\ngen.exe' DRL 1.0
malware-ioc misp_invisimole.json "value": "%WINDIR%\\system32\\drivers\\NGEN Framework\\NGEN.exe", © ESET 2014-2018
malware-ioc invisimole C:\Windows\system32\drivers\NGEN Framework\NGEN.exe © ESET 2014-2018
malware-ioc invisimole "Application"="C:\Windows\system32\drivers\NGEN Framework\NGEN.exe" © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml - '\Windows\system32\drivers\NGEN Framework\NGEN.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml - '\NGEN.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml Details\|endswith: '\drivers\NGEN Framework\NGEN.exe' © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.