CompatTelRunner.exe

  • File Path: C:\WINDOWS\system32\CompatTelRunner.exe
  • Description: Microsoft Compatibility Telemetry

Hashes

Type Hash
MD5 CD9357F04228E92C88039F06A48310EF
SHA1 30881C8252E6E7719D0B61940C4862D820D56CE8
SHA256 97502076754D0DA3FFCAE9064198244E1F9874494FBC65630A3C580BD469538D
SHA384 3E878D420AC3A5F696CD86DA436431472E9EDAF1C86EC2545161701709E7F48143ABCCA91984FBE216CA7D9063F3A708
SHA512 69998825E19303EDD991846D46D2B4B7C744409D9F98BF4A0874FA938A5837E91A8C47F4C5E8F9A8C7086664246FDDD94B11A3506FE6E89A18CFC9941A99A263
SSDEEP 3072:JV1My37oAWUz/Baqc+h+xP7Dsq9rkh0ZqaB6T9tF8v1nSW:/1V37oWzeGm8ykZai38BSW
IMP 0CE6D6B7621BA0223AFA57F31EAB4334
PESHA1 922A080ED85DBBE2038E7252DD6BF7325BBCAEE7
PE256 3934492E02E864652357DBCB917B2269FF3F2FDF09716ADD6F2EE72259CF867A

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\system32\CompatTelRunner.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CompatTelRunner.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/97502076754d0da3ffcae9064198244e1f9874494fbc65630a3c580bd469538d/detection

Possible Misuse

The following table contains possible examples of CompatTelRunner.exe being misused. While CompatTelRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_wmi_module_load.yml - '\CompatTelRunner.exe' DRL 1.0
sigma process_creation_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma win_non_interactive_powershell.yml - '\CompatTelRunner.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - '\compattelrunner.exe' DRL 1.0
sigma registry_event_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma sysmon_win_reg_telemetry_persistence.yml - '\system32\CompatTelRunner.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.