![]() hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. chm file to review its original contents. Some instances, it is worth decompiling the. Review reputation of remote IP and domain. During investigation, identify script content origination. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. CHM files may contain nearly any file type embedded, but only execute html/htm. ![]() This particular technique will load Windows script code from a compiled help file. The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. Windows System Binary Proxy Execution Compiled HTML File URL In Command Line ![]()
0 Comments
Leave a Reply. |