The alert SOC113 Suspicious hh.exe Usage triggered after execution of WinRAR.chm on host BillPRD. The file was downloaded and opened using hh.exe, which is commonly flagged as a LOLBIN. Analysis of the file hash and sandbox detonation confirms the file is a legitimate WinRAR help file with no malicious behavior.
Jan 31 2021 04:59 PM
Host BillPRD (172.16.17.47) accessed and executed WinRAR.chm using hh.exe
The alert was triggered due to hh.exe being used to open a CHM file, which can be abused for malicious execution. However, VirusTotal and sandbox analysis confirm the file is clean and no malicious activity was observed. The activity is classified as a false positivek