w32tm.exe

  • File Path: C:\windows\SysWOW64\w32tm.exe
  • Description: Windows Time Service Diagnostic Tool

Hashes

Type Hash
MD5 5B0B8913F4E835B3E435010700501082
SHA1 C7E4C070DCDE21423297FC7D2C4376963ABCAC24
SHA256 15E9EF8FE24A1CE0AD23911B6EA10D3E56C8586AD310DA7B994958F64EAC92C1
SHA384 E532DF076B4ABB0262590026EEF37686E0FF5BBAAEE11A7F153F65EC7972A219712AB6F964C7E5E34218DF897B635047
SHA512 45A72897E13F11E6F07FD3AFEBD7C87135344F2F7A46415DB71FCCFBC200C454D46D8813C77DD17BEEB1D68DBDDEB754BCE3E2454B095D15C9B0BB607C4D7CB8
SSDEEP 1536:m4mIDYpn6lZdHFA77hLDFpUxYJy5HzDKU00oWZRVP9e9:mbII6tHFA7tLDFOIU00oWZjPM

Signature

  • Status: The file C:\windows\SysWOW64\w32tm.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: w32time.dll.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of w32tm.exe being misused. While w32tm.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_remote_time_discovery.yml - Image\|endswith: '\w32tm.exe' DRL 1.0
malware-ioc misp_invisimole.json "description": "The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nAn adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a [Scheduled Task](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.", © ESET 2014-2018
atomic-red-team T1124.md System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service) MIT License. © 2018 Red Canary
atomic-red-team T1124.md w32tm /tz MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.