CompatTelRunner.exe

  • File Path: C:\Windows\system32\CompatTelRunner.exe
  • Description: Microsoft Compatibility Telemetry

Hashes

Type Hash
MD5 F3C4479D5AC4E943381049640E628993
SHA1 9916B5CF58F62099CE1F3BFA0DF880E124FE800B
SHA256 F38EA7112FEA4E469883EF0935C9B47E31386E6A992494EAC12F1067BB45E86A
SHA384 3D48C4418ED9614B7DB20A50F439456F17C994C4D6180C91843F43FC321C1F887799B5D9D0C67D2CAA37C276F6F2C1AE
SHA512 70DBFE721603C7BA849049ADE4D071699D4D765F89596C02E69DFF97FF0DAE52B3FF899FFE6CBAE126A9232942F49DDE0C5AF105A8B5122ED02ADBC08C7CF0A2
SSDEEP 3072:S17mRucu5IfDAZp+dBYE6lDgQr9hbwwBr5cxQ+VBD4nax79UkJvmRItLJ2wkLk0Z:87mRuc0IfDUoBCge9hbwwBtaQH6ukMRp

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\CompatTelRunner.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CompatTelRunner.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1035 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1035
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\CompatTelRunner.exe 96
C:\windows\system32\CompatTelRunner.exe 32
C:\Windows\system32\CompatTelRunner.exe 96

Possible Misuse

The following table contains possible examples of CompatTelRunner.exe being misused. While CompatTelRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\CompatTelRunner.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\CompatTelRunner.exe' DRL 1.0
sigma proc_creation_win_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma proc_creation_win_non_interactive_powershell.yml - '\CompatTelRunner.exe' DRL 1.0
sigma registry_event_abusing_windows_telemetry_for_persistence.yml description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. DRL 1.0
sigma registry_event_telemetry_persistence.yml - '\system32\CompatTelRunner.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.