CompatTelRunner.exe

  • File Path: C:\WINDOWS\system32\CompatTelRunner.exe
  • Description: Microsoft Compatibility Telemetry

Hashes

Type Hash
MD5 1E79615EF9946EB8A28D15584B21DB2F
SHA1 9C6A334BAC3122876FCFE3E46CE9A08BC60D6C3A
SHA256 924405FD4DF46B0A1D955AA492F441B938F051CC830AB494E88398DEF701FC1F
SHA384 D0C80B277009A14F9213F72AE3A7A2846C8CF6ED6C962B96F07CFCBEEDCB4D347CCE55861AA3B17FD7B69A16FD1153D8
SHA512 40ECD7B2D273CF088BF0F6161656BC094290FF0148C6277A4D4E966C09CD03C07DD6C39AC814AE23B5BBA77E834385CA7A319F689E2783A6FC92CB8A6F66240B
SSDEEP 3072:v17mRucu5IfDAZp+dBYE6lDgQr9hbwwBr5cxQ+VBD4nax79UkJvmRItLJ2wkLkhM:N7mRuc0IfDUoBCge9hbwwBtaQH6ukMRJ

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CompatTelRunner.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1035 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1035
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\CompatTelRunner.exe 32
C:\Windows\system32\CompatTelRunner.exe 96
C:\Windows\system32\CompatTelRunner.exe 96

Possible Misuse

The following table contains possible examples of CompatTelRunner.exe being misused. While CompatTelRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\CompatTelRunner.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\CompatTelRunner.exe' DRL 1.0
sigma proc_creation_win_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\CompatTelRunner.exe' DRL 1.0
sigma registry_event_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma registry_event_telemetry_persistence.yml - '\system32\CompatTelRunner.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.