Process

unknown

hh.exe

hh.exe is the Microsoft HTML Help executable, the program that opens compiled help (.chm) files. Users rarely invoke it directly. Attackers abuse it because a CHM is a bundle of HTML that can carry script, so hh runs attacker code through a signed Microsoft binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • HH.exe {REMOTEURL:.bat}Download · Download files from url
  • HH.exe {PATH_ABSOLUTE:.exe}Execute · Execute process with HH.exe
  • HH.exe {REMOTEURL:.chm}Execute · Execute commands with HH.exe

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

hh.exe opens and displays compiled HTML Help (.chm) files, the bundled help format made of HTML, images, and a table of contents. Because CHM content is HTML, it can include scripting (and shortcut objects that run commands), which executes when the help file is opened. The genuine binary lives at C:\Windows\System32\hh.exe (with a copy in the Windows directory).

Legitimately, hh.exe opens application help. The .chm it opens and where that file came from are what give an instance meaning.

Security notes

hh.exe is a system-binary proxy through compiled help files (T1218.001). An attacker builds a malicious .chm whose embedded HTML runs script or a shortcut command, delivers it (often as an email attachment), and when the victim opens it hh.exe executes the payload under a trusted, signed Microsoft process, bypassing application-control rules that allow hh. The recognizable evidence is hh.exe opening a .chm from a download or temp path, or hh.exe spawning a shell.

Because opening legitimate help is normal, the source of the .chm, the parent, and any child process are what separate a help lookup from code execution.

Anomaly signals5
  • Image path other than C:\Windows\hh.exe or C:\Windows\System32\hh.exehigh
  • Opening a .chm from Temp, AppData, Downloads, or an email attachmenthigh
  • Parent is an Office application, a script host, or a mail clienthigh
  • hh.exe spawning cmd.exe, powershell.exe, or other LOLBINshigh
  • Outbound network connections from hh.exemed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof hh.exe?
Edit this page on GitHub