TSTheme.exe

  • File Path: C:\Windows\system32\TSTheme.exe
  • Description: TSTheme Server Module

Hashes

Type Hash
MD5 5108F54E67CC5D1A44DB4FB64A6045C2
SHA1 5CB13A7E44537498C988358CD59A155D2D497C0D
SHA256 8C43C3947C1D6599E9F115EB82C6E6829FA3AFFD993F0B4207A1E3BF023D1FE8
SHA384 5613D51A34BF726AF5A57FE915B9E2C46A8674F4B6E5E840BE7A8BA5AB767855B0E13FA3AE622D219A0FCD1E0BEB66BE
SHA512 2A90FFFA71E65BFF9268F041F52034A15490472B90B56DF7A8B2777EED144CA3055134604BD3E9AF54C46156938949CF196DA55A64738FCFCF1A3D1D80BA6C92
SSDEEP 1536:HsCkIIZBXRL+wSanOe2r4txLdBxGQqdZer4Y4I+rPDgrlozyol5v2:MCDChDTx2r4tTzR+DDQlou45+
IMP C12F529C6B4328A6103FC0A0C6285568
PESHA1 A7F37DFAE0DD95F1486BB4DCE2AEE64A427357EA
PE256 770C3C19B2ADE83A318B7522B3A58FB271EA05BD72BD35954DE37B3BBF087797

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\TSTheme.exe.mui File
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\TSTheme.exe
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TSThemeS.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/8c43c3947c1d6599e9f115eb82c6e6829fa3affd993f0b4207a1e3bf023d1fe8/detection

Possible Misuse

The following table contains possible examples of TSTheme.exe being misused. While TSTheme.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\tstheme.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.