TSTheme.exe

  • File Path: C:\WINDOWS\SysWOW64\TSTheme.exe
  • Description: TSTheme Server Module

Hashes

Type Hash
MD5 8B4932509B6AF69270FC42E11EBA3BEE
SHA1 2A24FA5895602D44696550B7A20A3CF96459A205
SHA256 1E80EB01F65B9352F184846FDEEDC2D0FDF9838C261151C8E3AAFE3EC3D3D3CB
SHA384 BC00C03DC9ACD7AA84C77E23E80C862BD5A3FE79A0C41B4B45701498CB026C16E216F45392A436A08197F7E64999EE4C
SHA512 209CF4DEC44F777BE6EA2D7B3CBB389B195F8FAB1225E226ECC0824509D92B23A63F13884FC7189DF96BCB748A7B37BC784CDBF3C95AC94D60C3E0FB621A29A5
SSDEEP 1536:9T+bmikZE1G4VO/FblwAIpFG+m8fYlkyxsgUjaD:9T+CikZF8GF6G+mc6VjU2
IMP C059327BB81F9769B552D03F94C4F1A1
PESHA1 58863E3F24BCAC438C759624EB4B92D3DA6D2232
PE256 FF184055F68411F27A351164228EC1510218B072EFF087C39AC2DE0E54BA254D

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\TSTheme.exe.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\TSTheme.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TSThemeS.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/1e80eb01f65b9352f184846fdeedc2d0fdf9838c261151c8e3aafe3ec3d3d3cb/detection

Possible Misuse

The following table contains possible examples of TSTheme.exe being misused. While TSTheme.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\tstheme.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.