Microsoft.Workflow.Compiler.exe
- File Path:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
- Description: Microsoft.Workflow.Compiler.exe
- Comments: Flavor=Retail
Hashes
Type | Hash |
---|---|
MD5 | FC9DE0484A269CE25C09B5B1D25139D1 |
SHA1 | 930D4F60CF9699282AEEE123EBC1CFC9D99B3254 |
SHA256 | 698BE205BC3344D60A2D746D11A80174887B07FDE82A01CFBB835A555064C9D9 |
SHA384 | 2684EE1FA534B5D6E1F94C42CC28BFC5877FD3DE61609C381A58D907A0A8C90E444281EFED21D420991FEC0FFDA0DD0F |
SHA512 | D479431FDF8C1AA1C4D83AD69BADE35E5DCCA39CEB4FAA2998F20B7D2C7B53F4FC4548DAB9B3B26B177EB2779187651F2EED91A2256A60A5E198D4195C0EF80A |
SSDEEP | 384:Sr2jKFw1MHBYWaqlcrFC0xqehld2+Opm2CEWcHwW0FdTsuQpBj0HRN7pvQHRN7TP:Sr2jmHHoqclpPwakuPTfqWF8+Fh |
IMP | F34D5F2D4577ED6D9CEEC516C1F5A744 |
PESHA1 | F84F304E88D8702AA66152DC54076BF86B570BE5 |
PE256 | 3AF6C4613EF373063C69CDED23126423B2F2B49E991A10F8EA060F077B9D9C3D |
Runtime Data
Usage (stderr):
Unhandled Exception: System.ArgumentException: The compiler process was not given arguments or was given an invalid set of arguments. When invoking the process the expected arguments are the path to the compiler input and the path to where the output should be placed.
Parameter name: args
at Microsoft.Workflow.Compiler.Program.Main(String[] args)
Child Processes:
conhost.exe Microsoft.Workflow.Compiler.exe WerFault.exe
Open Handles:
Path | Type |
---|---|
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll | File |
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll | File |
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll | File |
(RW-) C:\Users\user | File |
...\Cor_SxSPublic_IPCBlock | Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
\BaseNamedObjects\Cor_Private_IPCBlock_v4_4256 | Section |
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
Path |
---|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe |
C:\Windows\System32\KERNEL32.dll |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\SYSTEM32\MSCOREE.DLL |
C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232
- Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: Microsoft.Workflow.Compiler.exe
- Product Name: Microsoft .NET Framework
- Company Name: Microsoft Corporation
- File Version: 4.8.4084.0 built by: NET48REL1
- Product Version: 4.8.4084.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/698be205bc3344d60a2d746d11a80174887b07fde82a01cfbb835a555064c9d9/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of Microsoft.Workflow.Compiler.exe
being misused. While Microsoft.Workflow.Compiler.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_workflow_compiler.yml | title: Microsoft Workflow Compiler |
DRL 1.0 |
sigma | proc_creation_win_workflow_compiler.yml | description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. |
DRL 1.0 |
sigma | proc_creation_win_workflow_compiler.yml | - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb |
DRL 1.0 |
sigma | proc_creation_win_workflow_compiler.yml | Image\|endswith: '\Microsoft.Workflow.Compiler.exe' |
DRL 1.0 |
sigma | proc_creation_win_workflow_compiler.yml | OriginalFileName: 'Microsoft.Workflow.Compiler.exe' |
DRL 1.0 |
LOLBAS | Microsoft.Workflow.Compiler.yml | Name: Microsoft.Workflow.Compiler.exe |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - Command: Microsoft.Workflow.Compiler.exe tests.xml results.xml |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - Command: Microsoft.Workflow.Compiler.exe tests.txt results.txt |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - Link: https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb |
|
LOLBAS | Microsoft.Workflow.Compiler.yml | - Link: https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/ |
|
atomic-red-team | index.md | - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | - Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | - Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | ## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | | mwcpath | Default location of Microsoft.Workflow.Compiler.exe | Path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | | mwcname | Default name of microsoft.workflow.compiler.exe | Path | microsoft.workflow.compiler.exe| | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | ## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | | renamed_binary | renamed Microsoft.Workflow.Compiler | Path | PathToAtomicsFolder\T1218\src\svchost.exe| | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.