tttracer.exe
- File Path:
C:\WINDOWS\SysWOW64\tttracer.exe - Description: Time Travel Debugging Tracer Tool
Hashes
| Type | Hash |
|---|---|
| MD5 | DA73F0AE0A8FD026654816C7C78E140B |
| SHA1 | B506036D818A7A80B4D7439FF8843D1ED783B917 |
| SHA256 | 41AB646231A3E8606CC11CE9EA8A285A0D1D0697421037BC3AE3E992C48B8945 |
| SHA384 | E4E348CB9F88C75F4763487DA5925A1EE120EA1640B264472BC7D06D31B851D08F3BEEAEEFFA28F152B3E0B9F3C3EC91 |
| SHA512 | 803CA547FD9F8D8F6D3C03E26F6B5F7D66C3714337BF454B5C4F22B9D9A116B89B7BBEA827E5E836F8A50FD640A01E31150C8252580716F21F3982DBD5FFFCF0 |
| SSDEEP | 1536:0lCFEJwp0QoOkGqygEs56WiyTYp3pK3FHbXpvmXSEZuczJe8s4TIeeMxZPwLl:RphoDGxJBOYp5KFZvqSEZukTHZoLl |
| IMP | F9AEA26DFF736B1CBFE1C0C172F98D3B |
| PESHA1 | D82D178B7DC1B28684E163E0B8DA40F79A78F2AD |
| PE256 | D8F05C9C468F46A3947A7E0D20A73F92099342906400C7DEC179D8513BAB696D |
Runtime Data
Usage (stdout):
MICROSOFT TIME TRAVEL DEBUGGING (TTD)
Time Travel Debugging (TTD) command line utility is not meant for use in custom software or
automation. TTD is included with this version of Windows to improve diagnostics gathering and is not
intended for direct use as a stand-alone solution.
DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED "AS IS." YOU BEAR THE RISK OF USING IT. MICROSOFT
GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS,
MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT.
1. DATA COLLECTION. The software may collect information about you and your use of the software and send
that to Microsoft. Microsoft may use this information to provide services and improve Microsoft's
products and services. Your opt-out rights, if any, are described in the product documentation. Some
features in the software may enable collection of data from users of your applications that access or
use the software. If you use these features to enable data collection in your applications, you must
comply with applicable law, including getting any required user consent, and maintain a prominent
privacy policy that accurately informs users about how you use, collect, and share their data. You can
learn more about Microsoft's data collection and use in the product documentation and the Microsoft
Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=521839. You agree to comply with all
applicable provisions of the Microsoft Privacy Statement.
2. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless
applicable law gives you more rights despite this limitation, you will not (and have no right to):
a) work around any technical limitations in the software that only allow you to use it in certain ways;
b) reverse engineer, decompile or disassemble the software;
c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
d) use the software for commercial, non-profit, or revenue-generating activities;
e) use the software in any way that is against the law or to create or propagate malware; or
f) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted
solution for others to use, or transfer the software or this agreement to any third party.
3. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services
for the software. Any support provided is "as is", "with all faults", and without warranty of any kind.
Usage (stderr):
Error: Unrecognized command line option '--help' (Error Code 0x80070057: The parameter is incorrect.)
Child Processes:
conhost.exe
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\SysWOW64\help01.out | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\SysWOW64 | File |
| (RWD) C:\Windows\SysWOW64\help01.run | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\ttdSeq_s_2_01_07 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\ttd_s_2_01_07_1748 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
| C:\WINDOWS\SysWOW64\tttracer.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: TTTracer.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/41ab646231a3e8606cc11ce9ea8a285a0d1d0697421037bc3ae3e992c48b8945/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\tttracer.exe | 33 |
| C:\WINDOWS\system32\tttracer.exe | 35 |
| C:\Windows\system32\tttracer.exe | 35 |
| C:\Windows\SysWOW64\tttracer.exe | 35 |
| C:\Windows\SysWOW64\tttracer.exe | 33 |
Possible Misuse
The following table contains possible examples of tttracer.exe being misused. While tttracer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_tttracer_mod_load.yml | description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
DRL 1.0 |
| sigma | image_load_tttracer_mod_load.yml | - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ |
DRL 1.0 |
| sigma | proc_creation_win_tttracer_mod_load.yml | description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
DRL 1.0 |
| sigma | proc_creation_win_tttracer_mod_load.yml | - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ |
DRL 1.0 |
| sigma | proc_creation_win_tttracer_mod_load.yml | ParentImage\|endswith: '\tttracer.exe' |
DRL 1.0 |
| LOLBAS | Ttdinject.yml | Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) |
|
| LOLBAS | Tttracer.yml | Name: Tttracer.exe |
|
| LOLBAS | Tttracer.yml | - Command: tttracer.exe C:\windows\system32\calc.exe |
|
| LOLBAS | Tttracer.yml | Description: Execute calc using tttracer.exe. Requires administrator privileges |
|
| LOLBAS | Tttracer.yml | - Command: TTTracer.exe -dumpFull -attach pid |
|
| LOLBAS | Tttracer.yml | Description: Dumps process using tttracer.exe. Requires administrator privileges |
|
| LOLBAS | Tttracer.yml | - Path: C:\Windows\System32\tttracer.exe |
|
| LOLBAS | Tttracer.yml | - Path: C:\Windows\SysWOW64\tttracer.exe |
|
| LOLBAS | Tttracer.yml | - IOC: Parent child relationship. Tttracer parent for executed command |
MIT License. Copyright (c) 2020-2021 Strontic.