regsvr32.exe
- Filename:
- regsvr32.exe
- md5:
- c88b8b7686b95d74a7db4d45169bfc2d
- sha1:
- bbaa528c5b0f1af5047e31df6ac12bed5c37e71f
- sha256:
- d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb
- Filetype:
- PE32+ executable (console) x86-64, for MS Windows, ...
- Size (Bytes):
- 16664344
- Classification:
- malicious
- Indexed:
- Mon Jun 30 2025 12:00:09 GMT+0000 (3 months ago)
- Last modified:
- Mon Jun 30 2025 13:21:46 GMT+0000 (3 months ago)
Sample information
14
Antivirus detections0
IDS alerts8
Processes0
Http events0
Contacted hosts0
DNS Requests10
Score
Current activity of this Sample
Blacklist timeline
Malicious
100 days since the last reported activity
Hashes
In depth details
Dates
Explore our API specification anytime here:
cURL
Python
PowerShell
Request:
curl -H "Authorization: Bearer <API_KEY>" https://api.maltiverse.com/sample/d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb
Response:
{
"antivirus": [
{
"description": "Malicious",
"name": "APEX"
},
{
"description": "W64.AIDetectMalware",
"name": "Bkav"
},
{
"description": "cld.trojan.agent",
"name": "CAT-QuickHeal"
},
{
"description": "win/malicious_confidence_90% (W)",
"name": "CrowdStrike"
},
{
"description": "Unsafe",
"name": "Cylance"
},
{
"description": "MALICIOUS",
"name": "DeepInstinct"
},
{
"description": "malicious (moderate confidence)",
"name": "Elastic"
},
{
"description": "W32/PossibleThreat",
"name": "Fortinet"
},
{
"description": "HEUR:Trojan-Dropper.Python.Agent.gen",
"name": "Kaspersky"
},
{
"description": "Trojan.ShellCode",
"name": "Malwarebytes"
},
{
"description": "Trojan.Malware.197262779.susgen",
"name": "MaxSecure"
},
{
"description": "Static AI - Suspicious PE",
"name": "SentinelOne"
},
{
"description": "BehavesLike.Win64.Generic.wc",
"name": "Skyhigh"
},
{
"description": "Generic Reputation PUA (PUA)",
"name": "Sophos"
}
],
"blacklist": [
{
"count": 7,
"description": "Generic Malware",
"first_seen": "2025-06-30 12:15:03",
"last_seen": "2025-06-30 13:21:46",
"ref": [
21745
],
"source": "Hybrid-Analysis"
}
],
"classification": "malicious",
"creation_time": "2025-06-30 12:00:09",
"filename": [
"regsvr32.exe"
],
"filetype": "PE32+ executable (console) x86-64, for MS Windows, ...",
"is_alive": false,
"is_cdn": false,
"is_cnc": false,
"is_distributing_malware": false,
"is_hosting": false,
"is_iot_threat": false,
"is_known_attacker": false,
"is_known_scanner": false,
"is_mining_pool": false,
"is_open_proxy": false,
"is_phishing": false,
"is_sinkhole": false,
"is_storing_phishing": false,
"is_tor_node": false,
"is_vpn_node": false,
"md5": "c88b8b7686b95d74a7db4d45169bfc2d",
"modification_time": "2025-06-30 13:21:46",
"process_list": [
{
"name": "regsvr32.exe",
"normalizedpath": "C:\\regsvr32.exe",
"sha256": "d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb",
"uid": "00000000-00007620"
},
{
"name": "regsvr32.exe",
"normalizedpath": "C:\\regsvr32.exe",
"sha256": "d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb",
"uid": "00000000-00004552"
},
{
"commandline": "/c \"%TEMP%\\shell.exe 127.0.0.1 4444\"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb",
"uid": "00000000-00001944"
},
{
"commandline": "127.0.0.1 4444",
"name": "shell.exe",
"normalizedpath": "%TEMP%\\shell.exe",
"sha256": "3d229cf75b4daad632a945672ad0ca4610f74ad7f34e289737eceb755c5254ec",
"uid": "00000000-00007172"
},
{
"commandline": "127.0.0.1 4444",
"name": "shell.exe",
"normalizedpath": "%TEMP%\\shell.exe",
"sha256": "3d229cf75b4daad632a945672ad0ca4610f74ad7f34e289737eceb755c5254ec",
"uid": "00000000-00009304"
},
{
"commandline": "/c \"%TEMP%\\psexec.exe -accepteula -s -d powershell.exe -ExecutionPolicy Bypass -File %TEMP%\\tmpbhycevqp\\shell.ps1\"",
"name": "cmd.exe",
"normalizedpath": "%WINDIR%\\system32\\cmd.exe",
"sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb",
"uid": "00000000-00007956"
},
{
"commandline": "-accepteula -s -d powershell.exe -ExecutionPolicy Bypass -File %TEMP%\\tmpbhycevqp\\shell.ps1",
"name": "psexec.exe",
"normalizedpath": "%TEMP%\\psexec.exe",
"sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b",
"uid": "00000000-00009260"
},
{
"name": "PSEXESVC.exe",
"normalizedpath": "%WINDIR%\\PSEXESVC.exe",
"sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e",
"uid": "00000000-00006552"
}
],
"score": 10,
"scoring_executed_time": "2025-06-30 12:15:05",
"sha1": "bbaa528c5b0f1af5047e31df6ac12bed5c37e71f",
"sha256": "d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb",
"size": 16664344,
"type": "sample"
}
Antivirus positives
| Antivirus | Threat |
|---|---|
| APEX | Malicious |
| Bkav | W64.AIDetectMalware |
| CAT-QuickHeal | cld.trojan.agent |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cylance | Unsafe |
| DeepInstinct | MALICIOUS |
| Elastic | malicious (moderate confidence) |
| Fortinet | W32/PossibleThreat |
| Kaspersky | HEUR:Trojan-Dropper.Python.Agent.gen |
| Malwarebytes | Trojan.ShellCode |
| MaxSecure | Trojan.Malware.197262779.susgen |
| SentinelOne | Static AI - Suspicious PE |
| Skyhigh | BehavesLike.Win64.Generic.wc |
| Sophos | Generic Reputation PUA (PUA) |
Process list
- uid
- 00000000-00007620
- commandline
- name
- regsvr32.exe
- normalizedpath
- C:\regsvr32.exe
- sha256
- d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb
- uid
- 00000000-00004552
- commandline
- name
- regsvr32.exe
- normalizedpath
- C:\regsvr32.exe
- sha256
- d488a783e5ca6a65406df5892e895118dffc28705af95be9bbfd58ba4a091feb
- uid
- 00000000-00001944
- commandline
- /c "%TEMP%\shell.exe 127.0.0.1 4444"
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb
- uid
- 00000000-00007172
- commandline
- 127.0.0.1 4444
- name
- shell.exe
- normalizedpath
- %TEMP%\shell.exe
- sha256
- 3d229cf75b4daad632a945672ad0ca4610f74ad7f34e289737eceb755c5254ec
- uid
- 00000000-00009304
- commandline
- 127.0.0.1 4444
- name
- shell.exe
- normalizedpath
- %TEMP%\shell.exe
- sha256
- 3d229cf75b4daad632a945672ad0ca4610f74ad7f34e289737eceb755c5254ec
- uid
- 00000000-00007956
- commandline
- /c "%TEMP%\psexec.exe -accepteula -s -d powershell.exe -ExecutionPolicy Bypass -File %TEMP%\tmpbhycevqp\shell.ps1"
- name
- cmd.exe
- normalizedpath
- %WINDIR%\system32\cmd.exe
- sha256
- 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb
- uid
- 00000000-00009260
- commandline
- -accepteula -s -d powershell.exe -ExecutionPolicy Bypass -File %TEMP%\tmpbhycevqp\shell.ps1
- name
- psexec.exe
- normalizedpath
- %TEMP%\psexec.exe
- sha256
- 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
- uid
- 00000000-00006552
- commandline
- name
- PSEXESVC.exe
- normalizedpath
- %WINDIR%\PSEXESVC.exe
- sha256
- cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e