legitimate use of the dll.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml>sigma
technicques: t1546 t1546.015

Techniques

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

condition: selection
selection:
  Details: C:\WINDOWS\system32\scrobj.dll
  TargetObject|endswith: InprocServer32\(Default)