» regsvr.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

regsvr.exe

The application regsvr.exe has been detected as a potentially unwanted program by 23 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler. While running, it connects to the Internet address ir1.fp.vip.ne1.yahoo.com on port 80 using the HTTP protocol.

File name:

regsvr.exe

MD5:

2c03ebfcce68f0499ffe6379044b9e29

SHA-1:

7ca81aae28be8568e21e79d632792b4e8e587fd3

Scanner detections:

23 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 9:51:35 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win32/Sohanad.worm.617343

17.03.02

Avira AntiVirus

TR/Autoit.CI.14

17.03.02

avast!

Win32:AutoIt-CI

2014.9-170302

Bitdefender

Trojan.Generic.319872

1.0.20.305

Clam AntiVirus

Trojan.Autoit.gen

0.98/18155

Dr.Web

Trojan.Siggen.288

9.0.1.061

ESET NOD32

Win32/Autoit.CC

11.-

Fortinet FortiGate

W32/Yahlover.C!worm

3/2/2017

F-Prot

W32/Trojan2.DFYJ

v6.-

F-Secure

Trojan.Win32.Autoit.ci

11.2017-02-03_5

G Data

Trojan.Generic.319872

17.3.-

IKARUS anti.virus

Trojan.Autoit.CI.14

17.03.02

K7 AntiVirus

not-a-virus:Monitor.Win32.Ardamax.ae

13.-

Kaspersky

Trojan.Win32.Autoit

14.0.0.-1247

McAfee

W32/Yahlover.worm.gen.c

5600.6108

Microsoft Security Essentials

TrojanDownloader:AutoIt/Agent

1.163.1557.0

Norman

Sohanad.gen6

11.20170302

Quick Heal

Worm.AutoIt.x

3.17.-

Rising Antivirus

Win32.Virut.GEN

23.00.65.17228

Sophos

W32/Autoit-Z

17.03.02

Trend Micro

WORM_DELF.FKZ

10.465.02

Vba32 AntiVirus

Worm.Win32.AutoIt.x

17.03.02

ViRobot

Trojan.Win32.Autoit.617343

17.03.02

File size:

609.4 KB (623,995 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Windows\System32\regsvr.exe

File PE Metadata

Compilation timestamp:

5/25/2055 11:40:40 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

Entry address:

0xA5001

Entry point:

60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, 50, 0A, 00, 83, BD, 22, 04, 00, 00, 00, 89, 9D, 22, 04, 00, 00, 0F, 85, 65, 03, 00, 00, 8D, 85, 2E, 04, 00, 00, 50, FF, 95, 4D, 0F, 00, 00, 89, 85, 26, 04, 00, 00, 8B, F8, 8D, 5D, 5E, 53, 50, FF, 95, 49, 0F, 00, 00, 89, 85, 4D, 05, 00, 00, 8D, 5D, 6B, 53, 57, FF, 95, 49, 0F, 00, 00, 89, 85, 51, 05, 00, 00, 8D, 45, 77, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72... 
[+]

Entropy:

7.7862

Packer / compiler:

ASPack v2.12

Code size:

404.5 KB (414,208 bytes)

Scheduled Task

Task name:

At1

Path:

C:\WINDOWS\Tasks\At1.job

Trigger:

Weekly (Runs weekly on Fridays at 9:00 AM)

Description:

Created by NetScheduleJobAdd.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ir1.fp.vip.ne1.yahoo.com (98.138.253.109:80)

TCP (HTTP):

Connects to ir1.fp.vip.gq1.yahoo.com (206.190.36.45:80)

Remove regsvr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.