ngen.exe

  • File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  • Description: Microsoft Common Language Runtime native compiler
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 9C08637FF87D15B20C9BECC03F975F16
SHA1 24E0C38DB85D3788B6B66276DE5206996C2187E4
SHA256 A2E008AB3DBAC4E566F47745FECBBE41B623AA404A69082F994DDB771C8E535F
SHA384 32AD6D4B10F337F857F46CE3E025AADF9DE0210FAE351148502FC302BA2E9C0040A5D9FA96967EA37EB091A9E0DB203A
SHA512 4F4857930FB3013FE705EFC3323AFC00CE8B36B55F68FDBEC20EA213879DF9D8B21787DC2682AB0D9973A68D360E4A244100E2A812288B022C6D95E2AE6EB58A
SSDEEP 3072:Zx1a7dfLgHy+i8DC12HiN4gsdpEGaYeztfcp:ZLa7dJ+i8S3Szuz9cp
IMP 3E0E9999397436894662F70FC3D346EB
PESHA1 15485C87529F4737CACFBE66765DEFB4EF2E283D
PE256 4CABC385038522D25E65D0F2A0D421506D4A3443262B0D07818C4798A00AFCCB

Runtime Data

Usage (stdout):

Microsoft (R) CLR Native Image Generator - Version 4.8.4341.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Error: Unrecognized option --help
WARNING: This syntax is deprecated or you mis-typed your command.  Run "ngen /?" to display a list of the currently supported parameters.

Usage: ngen <action> [args] [/nologo] [/silent] [/verbose]
       ngen /? or /help

    /nologo    - Prevents displaying of logo
    /silent    - Prevents displaying of success messages
    /verbose   - Displays verbose output for debugging

Actions:
    ngen install <assembly name> [scenarios] [config] [/queue[:[1|2|3]]
        Generate native images for an assembly and its dependencies
        and install them in the Native Images Cache
        If /queue is specified compilation job is queued up.  If a priority 
        is not specified, the default priority used is 3.
    ngen uninstall <assembly name> [scenarios] [config]
        Delete the native images of an assembly and its dependencies from
        the Native Images Cache.
    ngen update [/queue]
        Update native images that have become invalid
        If /queue is specified compilation jobs are queued up.
    ngen display [assembly name]
        Display the ngen state
    ngen executeQueuedItems [1|2|3]
        Executes queued compilation jobs.
        If priority is not specified all queued compilation jobs are done.
        If priority is specified compilation jobs with greater or equal
        priority than the specified are done. (Short form: eqi)
    ngen queue [pause|continue|status]
        Allows the user to pause and continue the NGen Service, and to
        query its status.
    ngen createPDB <path to native image> <directory to store PDB>
                    [/lines  [<search path for managed PDB>] ]
        Generates a native PDB file for a native image that was previously
        generated by NGen.  The generated PDB file includes names of methods
        and ranges of IP offsets that map to those methods.
        If /lines is specified, then additional information is written to the
        PDB to map ranges of IP offsets to source file line numbers.  /lines
        requires access to the managed PDB generated by the language compiler.
        <search path for managed PDB> may optionally be specified to help NGen
        find the managed PDB

Scenarios:
    /Debug          - Generate images that can be used under a debugger
    /Profile        - Generate images that can be used under a profiler
    /NoDependencies - Generate the minimal number of native images
                      required by this scenario

Config:
    /ExeConfig:<path to exe> - Use the configuration of the specified
                 executable assembly
    /AppBase:<path to appbase directory> - Use the specified directory as
                 the appbase

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ngen.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4341.0 built by: NET48REL1LAST_C
  • Product Version: 4.8.4341.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a2e008ab3dbac4e566f47745fecbbe41b623aa404a69082f994ddb771c8e535f/detection

File Similarity (ssdeep match)

File Score
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 83

Possible Misuse

The following table contains possible examples of ngen.exe being misused. While ngen.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_proc_wrong_parent.yml - '\ngen.exe' DRL 1.0
sigma proc_creation_win_susp_svchost.yml - '\ngen.exe' DRL 1.0
malware-ioc misp_invisimole.json "value": "%WINDIR%\\system32\\drivers\\NGEN Framework\\NGEN.exe", © ESET 2014-2018
malware-ioc invisimole C:\Windows\system32\drivers\NGEN Framework\NGEN.exe © ESET 2014-2018
malware-ioc invisimole "Application"="C:\Windows\system32\drivers\NGEN Framework\NGEN.exe" © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml - '\Windows\system32\drivers\NGEN Framework\NGEN.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml - '\NGEN.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_speedfan_chain.yml Details\|endswith: '\drivers\NGEN Framework\NGEN.exe' © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.