CompatTelRunner.exe

  • File Path: C:\windows\system32\CompatTelRunner.exe
  • Description: Microsoft Compatibility Telemetry

Hashes

Type Hash
MD5 4BDD8E93D7A5E57BEA22B18BF9675021
SHA1 ABFBB7D770FF065A025253087F85A23FCA07EFA0
SHA256 5F7B85D4E6AC19E16D3C32042ECDE9EF32CDDE0B4021FE4D609D096EF5DC972F
SHA384 053234EB6D9D11ADE68FC7D7DEFBCDBA3AA73504C8D0547E2425BFD4A6447F1DA220FE886722AB7726274E3C7B80FB94
SHA512 97D03FD67FF311F7D5E98B1D6780ED0843B5B08208C5BE1F813A7807CADEE287BAC93243E0B14DD59ACCEA6F60E2E3A35DD403D3A819BD045AE3053415F345D3
SSDEEP 3072:zN432737xQMMR0Lfz5xbSxwx5ObxUrWwmXgtDD+6BD4nax79Uk8WEMdU8MCKR:z232737uMMRUlxrx5+xUrWw1A6ukndUz

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CompatTelRunner.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1035 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1035
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\CompatTelRunner.exe 32
C:\Windows\system32\CompatTelRunner.exe 32
C:\Windows\system32\CompatTelRunner.exe 32

Possible Misuse

The following table contains possible examples of CompatTelRunner.exe being misused. While CompatTelRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\CompatTelRunner.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\CompatTelRunner.exe' DRL 1.0
sigma proc_creation_win_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\CompatTelRunner.exe' DRL 1.0
sigma registry_event_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma registry_event_telemetry_persistence.yml - '\system32\CompatTelRunner.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.