tttracer.exe

  • File Path: C:\WINDOWS\SysWOW64\tttracer.exe
  • Description: Time Travel Debugging Tracer Tool

Hashes

Type Hash
MD5 DA73F0AE0A8FD026654816C7C78E140B
SHA1 B506036D818A7A80B4D7439FF8843D1ED783B917
SHA256 41AB646231A3E8606CC11CE9EA8A285A0D1D0697421037BC3AE3E992C48B8945
SHA384 E4E348CB9F88C75F4763487DA5925A1EE120EA1640B264472BC7D06D31B851D08F3BEEAEEFFA28F152B3E0B9F3C3EC91
SHA512 803CA547FD9F8D8F6D3C03E26F6B5F7D66C3714337BF454B5C4F22B9D9A116B89B7BBEA827E5E836F8A50FD640A01E31150C8252580716F21F3982DBD5FFFCF0
SSDEEP 1536:0lCFEJwp0QoOkGqygEs56WiyTYp3pK3FHbXpvmXSEZuczJe8s4TIeeMxZPwLl:RphoDGxJBOYp5KFZvqSEZukTHZoLl
IMP F9AEA26DFF736B1CBFE1C0C172F98D3B
PESHA1 D82D178B7DC1B28684E163E0B8DA40F79A78F2AD
PE256 D8F05C9C468F46A3947A7E0D20A73F92099342906400C7DEC179D8513BAB696D

Runtime Data

Usage (stdout):

MICROSOFT TIME TRAVEL DEBUGGING (TTD)

Time Travel Debugging (TTD) command line utility is not meant for use in custom software or
automation. TTD is included with this version of Windows to improve diagnostics gathering and is not
intended for direct use as a stand-alone solution.

DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED "AS IS." YOU BEAR THE RISK OF USING IT. MICROSOFT
GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS,
MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT.

1. DATA COLLECTION. The software may collect information about you and your use of the software and send
   that to Microsoft. Microsoft may use this information to provide services and improve Microsoft's
   products and services. Your opt-out rights, if any, are described in the product documentation. Some
   features in the software may enable collection of data from users of your applications that access or
   use the software. If you use these features to enable data collection in your applications, you must
   comply with applicable law, including getting any required user consent, and maintain a prominent
   privacy policy that accurately informs users about how you use, collect, and share their data. You can
   learn more about Microsoft's data collection and use in the product documentation and the Microsoft
   Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=521839. You agree to comply with all
   applicable provisions of the Microsoft Privacy Statement.

2. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless
   applicable law gives you more rights despite this limitation, you will not (and have no right to):
    a) work around any technical limitations in the software that only allow you to use it in certain ways;
    b) reverse engineer, decompile or disassemble the software;
    c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
    d) use the software for commercial, non-profit, or revenue-generating activities;
    e) use the software in any way that is against the law or to create or propagate malware; or
    f) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted
       solution for others to use, or transfer the software or this agreement to any third party.

3. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services
   for the software. Any support provided is "as is", "with all faults", and without warranty of any kind.


Usage (stderr):

Error:  Unrecognized command line option '--help' (Error Code 0x80070057:  The parameter is incorrect.)

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\SysWOW64\help01.out File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RWD) C:\Windows\SysWOW64\help01.run File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\ttdSeq_s_2_01_07 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\ttd_s_2_01_07_1748 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\tttracer.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TTTracer.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/41ab646231a3e8606cc11ce9ea8a285a0d1d0697421037bc3ae3e992c48b8945/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\tttracer.exe 33
C:\WINDOWS\system32\tttracer.exe 35
C:\Windows\system32\tttracer.exe 35
C:\Windows\SysWOW64\tttracer.exe 35
C:\Windows\SysWOW64\tttracer.exe 33

Possible Misuse

The following table contains possible examples of tttracer.exe being misused. While tttracer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma image_load_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml ParentImage\|endswith: '\tttracer.exe' DRL 1.0
LOLBAS Ttdinject.yml Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)  
LOLBAS Tttracer.yml Name: Tttracer.exe  
LOLBAS Tttracer.yml - Command: tttracer.exe C:\windows\system32\calc.exe  
LOLBAS Tttracer.yml Description: Execute calc using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Command: TTTracer.exe -dumpFull -attach pid  
LOLBAS Tttracer.yml Description: Dumps process using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Path: C:\Windows\System32\tttracer.exe  
LOLBAS Tttracer.yml - Path: C:\Windows\SysWOW64\tttracer.exe  
LOLBAS Tttracer.yml - IOC: Parent child relationship. Tttracer parent for executed command  

MIT License. Copyright (c) 2020-2021 Strontic.