Code.exe
- File Path:
C:\program files\Microsoft VS Code\Code.exe - Description: Visual Studio Code
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 0B83757EEF8F4D32BAD1846CEF7173E5 |
| SHA1 | 4AA8F6B8D618D48CECE3233939F4CBC7C4C2CB8B |
| SHA256 | 295979AAF45CC2DB3E5FD139FB3B2F6E967701C3C1D30AF0AFC9DCF394F931BA |
| SHA384 | 8F84578617268B82EEA253CE56F3B380CD965EFEF04EFBF6F7CC557408D1A3415A0D163C534711177569B5C16CB0189C |
| SHA512 | 2C66F79685C4190AE7075C05BD195D2F38E47995280794F2C97D5FAE8F438D41CA2B8CC52633B2D70C0EF2D46C814140D9A0D87C5F979E49B802E903C57EFC27 |
| SSDEEP | 786432:KTK8PZpMkGA0DILjQ/B7aJqk6KpJdBux9i0nks9R3Nr1vSVOAMswjJ:oK8P0kGA0DILjwB2dpJdB+c0FD3rTjjJ |
Runtime Data
Usage (stdout):
Warning: 'e' is not in the list of known options, but still passed to Electron/Chromium.
Warning: 'l' is not in the list of known options, but still passed to Electron/Chromium.
Warning: 'p' is not in the list of known options, but still passed to Electron/Chromium.
[main 2020-08-30T21:09:31.162Z] update#setState idle
Usage (stderr):
[7388:2388:0830/170938.053:ERROR:exception_handler_server.cc(534)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Child Processes:
Code.exe Code.exe Code.exe
Window Title:
Visual Studio Code
Open Handles:
| Path | Type |
|---|---|
| (R–) C:\Users\user\AppData\Roaming\Code\logs\20200830T170936\main.log | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\mswsock.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\user32.dll.mui | File |
| (RW-) C:\Program Files\Microsoft VS Code | File |
| (RW-) C:\Program Files\Microsoft VS Code\chrome_100_percent.pak | File |
| (RW-) C:\Program Files\Microsoft VS Code\chrome_200_percent.pak | File |
| (RW-) C:\Program Files\Microsoft VS Code\icudtl.dat | File |
| (RW-) C:\Program Files\Microsoft VS Code\locales\en-US.pak | File |
| (RW-) C:\Program Files\Microsoft VS Code\natives_blob.bin | File |
| (RW-) C:\Program Files\Microsoft VS Code\resources.pak | File |
| (RW-) C:\Program Files\Microsoft VS Code\resources\app\node_modules.asar | File |
| (RW-) C:\Program Files\Microsoft VS Code\v8_context_snapshot.bin | File |
| (RW-) C:\Users\user\AppData\Roaming\Code\User\globalStorage\state.vscdb | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec | File |
| (RWD) C:\Users\user\AppData\Roaming\Code\User | File |
| (RWD) C:\Windows\Fonts\segoeui.ttf | File |
| (RWD) C:\Windows\Fonts\segoeuib.ttf | File |
| (RWD) C:\Windows\System32\drivers\etc | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\BaseNamedObjects\1f8cHWNDInterface:15024e | Section |
| \Sessions\1\BaseNamedObjects\1f8cHWNDInterface:5b03ae | Section |
| \Sessions\1\BaseNamedObjects\node-debug-handler-8076 | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\Windows\Theme4048709601 | Section |
| \Windows\Theme603176458 | Section |
Loaded Modules:
| Path |
|---|
| C:\program files\Microsoft VS Code\Code.exe |
| C:\program files\Microsoft VS Code\ffmpeg.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\SYSTEM32\UIAutomationCore.DLL |
| C:\Windows\System32\win32u.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
3300000187721772155940C709000000000187 - Thumbprint:
2485A7AFA98E178CB8F30C9838346B514AEA4769 - Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: electron.exe
- Product Name: Visual Studio Code
- Company Name: Microsoft Corporation
- File Version: 1.48.2
- Product Version: 1.48.2
- Language: English (United States)
- Legal Copyright: Copyright (C) 2019 Microsoft. All rights reserved
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Program Files\Microsoft VS Code\Code.exe | 97 |
Possible Misuse
The following table contains possible examples of Code.exe being misused. While Code.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_access_win_in_memory_assembly_execution.yml | - '\Microsoft VS Code\Code.exe' |
DRL 1.0 |
| sigma | proc_access_win_in_memory_assembly_execution.yml | - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' |
DRL 1.0 |
| sigma | proc_access_win_in_memory_assembly_execution.yml | - TargetImage\|endswith: '\Microsoft VS Code\Code.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | - '\Microsoft VS Code\Code.exe' |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass_susp_source.yml | - '\Microsoft VS Code\Code.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.