This one is a curious one. I actually don’t know how to trigger it!

Yet, I will document some bits and bobs, so that you may take these entry points into consideration, at least from a DFIR perspective.

So, edgehtml.dll and mshtml.dll are monsters of a library (23-25MB+). One of the things they do is they provide functions that work in so-called Diagnostic Mode. When Browser is in that mode, it checks a number of environment variables, and if they are set, it will load a COM library specified by one of these entries (JS_DM_CLSID).

And all these Java Script/Diagnostic Mode environment variables it checks are:

• JS_DM_CLSID
• JS_DM_FLAGS
• JS_DM_PATH
• JS_DM_ID

I know it’s not a lot, but if JS_DM_CLSID is set as an environmental variable, you better check it’s value as it may be loaded by the browser. If you know more about the Diagnostic Mode, please let me know.