Code.exe

  • File Path: C:\Program Files\Microsoft VS Code\Code.exe
  • Description: Visual Studio Code

Screenshot

Code.exe

Hashes

Type Hash
MD5 BE55302AD3756789D824FD68BD129B1E
SHA1 121E8D883D9B6617005202E010CA7DA22DFB1A56
SHA256 8F7E9404FDEC809D51BE2B37EEBDBBE58148A08594468164F26A46B5F3CE5981
SHA384 94FE2B928BFEFF0E0ECD6453D30555440A69CA627C3AE32B8CE01C693A589ABA45F8D9CDE5DEDDA650FB0AD6AB2535AE
SHA512 A6C6D14339B3C898A318B84DA0FDCBE36B739F1794D7C485D988C787C549B4770C45BE2CF9134CCE1E0211576C9E2F02549B20C050C80E478F4CBB939916798C
SSDEEP 1572864:Z3L0ugLP5Fs0GsSRQjh9hvO98AzPwO00BFx4qH:RNG5FsSaQ+PE0BZH
IMP F9443C3DD8B8FE972EFB9A7A0D70C6BD
PESHA1 E6CF5E18A3044FCDECBDEE8CC8322E21DD79743D
PE256 BA8DFA0A0F0FD5F553D6FE799FE5AE381F2DECC76053E2C2CE3D223B0E16212E

Runtime Data

Usage (stdout):


[main 2021-11-07T00:03:35.528Z] update#setState idle

Usage (stderr):

Warning: 'e' is not in the list of known options, but still passed to Electron/Chromium.
Warning: 'l' is not in the list of known options, but still passed to Electron/Chromium.
Warning: 'p' is not in the list of known options, but still passed to Electron/Chromium.

Child Processes:

csrss.exe winlogon.exe Code.exe Code.exe Code.exe Code.exe Code.exe Code.exe Code.exe

Window Title:

Get Started - Visual Studio Code [Administrator]

Open Handles:

Path Type
(R-D) C:\Program Files\Microsoft VS Code\chrome_100_percent.pak File
(R-D) C:\Program Files\Microsoft VS Code\chrome_200_percent.pak File
(R-D) C:\Program Files\Microsoft VS Code\locales\en-US.pak File
(R-D) C:\Program Files\Microsoft VS Code\resources.pak File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\mswsock.dll.mui File
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(RW-) C:\Program Files\Microsoft VS Code File
(RW-) C:\Program Files\Microsoft VS Code\icudtl.dat File
(RW-) C:\Program Files\Microsoft VS Code\resources\app\node_modules.asar File
(RW-) C:\Program Files\Microsoft VS Code\v8_context_snapshot.bin File
(RW-) C:\Users\user\AppData\Roaming\Code\Local Storage\leveldb\000003.log File
(RW-) C:\Users\user\AppData\Roaming\Code\Local Storage\leveldb\LOCK File
(RW-) C:\Users\user\AppData\Roaming\Code\Local Storage\leveldb\LOG File
(RW-) C:\Users\user\AppData\Roaming\Code\Local Storage\leveldb\MANIFEST-000001 File
(RW-) C:\Users\user\AppData\Roaming\Code\logs\20211106T200346\main.log File
(RW-) C:\Users\user\AppData\Roaming\Code\logs\20211106T200346\renderer1.log File
(RW-) C:\Users\user\AppData\Roaming\Code\QuotaManager File
(RW-) C:\Users\user\AppData\Roaming\Code\QuotaManager-journal File
(RW-) C:\Users\user\AppData\Roaming\Code\Service Worker\Database\000003.log File
(RW-) C:\Users\user\AppData\Roaming\Code\Service Worker\Database\LOCK File
(RW-) C:\Users\user\AppData\Roaming\Code\Service Worker\Database\LOG File
(RW-) C:\Users\user\AppData\Roaming\Code\Service Worker\Database\MANIFEST-000001 File
(RW-) C:\Users\user\AppData\Roaming\Code\User\globalStorage\state.vscdb File
(RW-) C:\Users\user\AppData\Roaming\Code\User\workspaceStorage\1636243427847\state.vscdb File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
(RWD) C:\Users\user File
(RWD) C:\Users\user\AppData\Roaming\Code\GPUCache\data_0 File
(RWD) C:\Users\user\AppData\Roaming\Code\GPUCache\data_1 File
(RWD) C:\Users\user\AppData\Roaming\Code\GPUCache\data_2 File
(RWD) C:\Users\user\AppData\Roaming\Code\GPUCache\data_3 File
(RWD) C:\Users\user\AppData\Roaming\Code\GPUCache\index File
(RWD) C:\Users\user\AppData\Roaming\Code\User File
(RWD) C:\Windows\Fonts File
(RWD) C:\Windows\System32\drivers\etc File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\13acHWNDInterface:2c0960 Section
\Sessions\1\BaseNamedObjects\13acHWNDInterface:470970 Section
\Sessions\1\BaseNamedObjects\node-debug-handler-5036 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Program Files\Microsoft VS Code\Code.exe
C:\Program Files\Microsoft VS Code\ffmpeg.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\SYSTEM32\dbghelp.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSIMG32.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\SYSTEM32\UIAutomationCore.DLL
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001DF6BF02E92A74AB4D00000000001DF
  • Thumbprint: ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: electron.exe
  • Product Name: Visual Studio Code
  • Company Name: Microsoft Corporation
  • File Version: 1.62.0
  • Product Version: 1.62.0
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2021 Microsoft. All rights reserved
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/8f7e9404fdec809d51be2b37eebdbbe58148a08594468164f26a46b5f3ce5981/detection

Possible Misuse

The following table contains possible examples of Code.exe being misused. While Code.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_in_memory_assembly_execution.yml - '\Microsoft VS Code\Code.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - TargetImage\|endswith: '\Microsoft VS Code\Code.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - '\Microsoft VS Code\Code.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass_susp_source.yml - '\Microsoft VS Code\Code.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.