• File Path: C:\windows\SysWOW64\TSTheme.exe
  • Description: TSTheme Server Module


Type Hash
MD5 C0E552B6EC9D9FCE25491D40EDA3C3BB
SHA1 951E4B2E24525C4D4EF4D19E52B07FC49EFCFD77
SHA256 D4AF506C47AB433DE90CA6E9FE81EEE8FF12997A601C5EA923CC10E3F992B087
SHA384 ACA1F3113B759D27293777C1A2B97B735A03118947779475554F6CEB976F8F220296300044EB1073EFF7BAED57B9C73F
SHA512 9C6EE971E513B13D3F02CF4C10593783D3017F03407B52BE00361B28AA0E0059DD4E2C6E343420BABABD33B9163CE82B3A2ED4A2F4768F1CC60FFC0D109E94AA
SSDEEP 768:tsdQTbk8DWc2aPkH0uSPEzdwqXhBd5nYnr1mMUR0Fmja:uafk8l2+uS4dwOd5Or1vg0Fmja


  • Status: The file C:\windows\SysWOW64\TSTheme.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: TSThemeS.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of TSTheme.exe being misused. While TSTheme.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\tstheme.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.