Microsoft.Workflow.Compiler.exe

File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
Description: Microsoft.Workflow.Compiler.exe
Comments: Flavor=Retail

Hashes

Type	Hash
MD5	`CC3FC0B1818A22ADB086F2785A3E5A00`
SHA1	`71C3A2A821E43AC49ACBE9D72CBF1CF2CFCD752D`
SHA256	`585F531A76B897D0F480DE1060FA962A132190524479AA2DE624E6D33FCA0391`
SHA384	`3BF15F14051DF2CF08FC0EBAF6A1FEBEABC6F2D99BA95918047375A0C664394A0C6AAC66D870065B0DABF09DBE2DF9BD`
SHA512	`41BD5BF108C2D4C0223316DA253A0D829C7606024B36B6281DE2030A12DE7FDD32E8D85CE2F45EB2C9D76A37002C405308DBE6ED4941BD64A406E0371EA7DEB6`
SSDEEP	`384:er2jKFw1MHBYWaqlcrFC0xrehnd2+Opm2EWclwWKFGC8c+pBj0HRN7vTSccyHRNG:er2jmHHoqclidw64CW7Ri`
IMP	`F34D5F2D4577ED6D9CEEC516C1F5A744`
PESHA1	`807DE2F28D0640266B5AE3677516D9425EC8A72A`
PE256	`4BB3FAE86A30EEEA239DE9B7A8A85E7554EFF933DDD59BF9ED9EA53F29A1839A`

Runtime Data

Usage (stderr):

Unhandled Exception: System.ArgumentException: The compiler process was not given arguments or was given an invalid set of arguments. When invoking the process the expected arguments are the path to the compiler input and the path to where the output should be placed.
Parameter name: args
   at Microsoft.Workflow.Compiler.Program.Main(String[] args)

Child Processes:

conhost.exe Microsoft.Workflow.Compiler.exe WerFault.exe

Open Handles:

Path	Type
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll	File
(RW-) C:\Windows\System32	File
...\Cor_SxSPublic_IPCBlock	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\BaseNamedObjects\Cor_Private_IPCBlock_v4_9152	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
C:\WINDOWS\System32\KERNEL32.dll
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\MSCOREE.DLL
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

Status: Signature verified.
Serial: 33000002ED2C45E4C145CF48440000000002ED
Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: Microsoft.Workflow.Compiler.exe
Product Name: Microsoft .NET Framework
Company Name: Microsoft Corporation
File Version: 4.8.4161.0 built by: NET48REL1
Product Version: 4.8.4161.0
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/76
VirusTotal Link: https://www.virustotal.com/gui/file/585f531a76b897d0f480de1060fa962a132190524479aa2de624e6d33fca0391/detection

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\flogvwrc.dll	35
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\gacutlrc.dll	35
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\IlDasmrc.dll	29
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\pevrfyrc.dll	29
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\snrc.dll	27
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\1033\TrackerUI.dll	29
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\flogvwrc.dll	33
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\gacutlrc.dll	30
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\IlDasmrc.dll	29
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\pevrfyrc.dll	30
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\snrc.dll	27
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\1033\TrackerUI.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Accessibility.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\Microsoft.Win32.Primitives.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.AppContext.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Collections.Concurrent.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Collections.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Collections.NonGeneric.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Collections.Specialized.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ComponentModel.Annotations.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ComponentModel.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ComponentModel.EventBasedAsync.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ComponentModel.Primitives.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ComponentModel.TypeConverter.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Console.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Data.Common.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.Contracts.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.Debug.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.FileVersionInfo.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.Process.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.StackTrace.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.TextWriterTraceListener.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.Tools.dll	36
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Diagnostics.TraceSource.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Drawing.Primitives.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Dynamic.Runtime.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Globalization.Calendars.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Globalization.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Globalization.Extensions.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.Compression.ZipFile.dll	38
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.FileSystem.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.FileSystem.DriveInfo.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.FileSystem.Primitives.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.FileSystem.Watcher.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.IsolatedStorage.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.MemoryMappedFiles.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.Pipes.dll	27
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.IO.UnmanagedMemoryStream.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Linq.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Linq.Expressions.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Linq.Parallel.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Linq.Queryable.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Http.Rtc.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.NameResolution.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.NetworkInformation.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Ping.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Primitives.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Requests.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Security.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.Sockets.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.WebHeaderCollection.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.WebSockets.Client.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Net.WebSockets.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ObjectModel.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.Emit.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.Emit.ILGeneration.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.Emit.Lightweight.dll	27
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.Extensions.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Reflection.Primitives.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Resources.Reader.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Resources.ResourceManager.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Resources.Writer.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.CompilerServices.VisualC.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Extensions.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Handles.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.InteropServices.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.InteropServices.RuntimeInformation.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.InteropServices.WindowsRuntime.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Numerics.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Serialization.Formatters.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Serialization.Json.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Serialization.Primitives.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Runtime.Serialization.Xml.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Claims.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Cryptography.Algorithms.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Cryptography.Csp.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Cryptography.Encoding.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Cryptography.Primitives.dll	27
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Cryptography.X509Certificates.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.Principal.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Security.SecureString.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ServiceModel.Duplex.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ServiceModel.Http.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ServiceModel.NetTcp.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ServiceModel.Primitives.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ServiceModel.Security.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Text.Encoding.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Text.Encoding.Extensions.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Text.RegularExpressions.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.Overlapped.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.Tasks.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.Tasks.Parallel.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.Thread.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.ThreadPool.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Threading.Timer.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.ValueTuple.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.ReaderWriter.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.XDocument.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.XmlDocument.dll	38
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.XmlSerializer.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.XPath.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Facades\System.Xml.XPath.XDocument.dll	36
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\ISymWrapper.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\Microsoft.Activities.Build.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\sysglobl.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Activities.DurableInstancing.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.AddIn.Contract.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.ComponentModel.Composition.Registration.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Data.DataSetExtensions.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Data.Services.Design.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Diagnostics.Tracing.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.IO.Compression.dll	32
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.IO.Compression.FileSystem.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Management.Instrumentation.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Net.Http.WebRequest.dll	36
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Numerics.dll	27
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Reflection.Context.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Web.Abstractions.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Web.RegularExpressions.dll	33
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Web.Routing.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Windows.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Windows.Input.Manipulations.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Windows.Presentation.dll	35
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Xml.Serialization.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\UIAutomationClientsideProviders.dll	30
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\UIAutomationProvider.dll	29
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\XamlBuildTask.dll	29
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	43
C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	32
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	75
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	43
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	32
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	100
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	75
C:\Windows\system32\aspnet_counters.dll	30
C:\Windows\system32\msvcr100_clr0400.dll	30
C:\Windows\SysWOW64\aspnet_counters.dll	30
C:\Windows\SysWOW64\msvcr100_clr0400.dll	29

Possible Misuse

The following table contains possible examples of Microsoft.Workflow.Compiler.exe being misused. While Microsoft.Workflow.Compiler.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_workflow_compiler.yml	`title: Microsoft Workflow Compiler`	DRL 1.0
sigma	proc_creation_win_workflow_compiler.yml	`description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.`	DRL 1.0
sigma	proc_creation_win_workflow_compiler.yml	`- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb`	DRL 1.0
sigma	proc_creation_win_workflow_compiler.yml	`Image\\|endswith: '\Microsoft.Workflow.Compiler.exe'`	DRL 1.0
sigma	proc_creation_win_workflow_compiler.yml	`OriginalFileName: 'Microsoft.Workflow.Compiler.exe'`	DRL 1.0
LOLBAS	Microsoft.Workflow.Compiler.yml	`Name: Microsoft.Workflow.Compiler.exe`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations.`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- Link: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb`
LOLBAS	Microsoft.Workflow.Compiler.yml	`- Link: https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/`
atomic-red-team	index.md	- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	- Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	- Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	\| mwcpath \| Default location of Microsoft.Workflow.Compiler.exe \| Path \| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	\| mwcname \| Default name of microsoft.workflow.compiler.exe \| Path \| microsoft.workflow.compiler.exe\|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	\| renamed_binary \| renamed Microsoft.Workflow.Compiler \| Path \| PathToAtomicsFolder\T1218\src\svchost.exe\|	MIT License. © 2018 Red Canary