File name:

RiotClientServices.exe

Full analysis: https://app.any.run/tasks/be2ebe1e-dcb1-49de-8c90-f946326c2595
Verdict: Malicious activity
Analysis date: August 03, 2024, 20:07:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CA7EF8FD39C4D993892401B22C9063B6

SHA1:

E36123817F82DB1386CBEBFACED782162A3A2ECC

SHA256:

8BF154E63415C66AB64ED51E62C22659C8F52B03C74E06DDE6F30ED920862C14

SSDEEP:

786432:r7QfqcQT6F+jKt2BAfgg4YEDxKzMT/aYyU3V7l68g:XQfdQOUKt2BAf14YIxAMr/3368g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RiotClientServices.exe (PID: 6872)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RiotClientServices.exe (PID: 6872)

    • Reads the date of Windows installation

      • RiotClientServices.exe (PID: 6872)

    • Application launched itself

      • RiotClientServices.exe (PID: 6872)

    • Process drops legitimate windows executable

      • RiotClientServices.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • RiotClientServices.exe (PID: 6872)

  • INFO

    • Creates files or folders in the user directory

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Creates files in the program directory

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Reads the computer name

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Checks supported languages

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Process checks computer location settings

      • RiotClientServices.exe (PID: 6872)

    • Create files in a temporary directory

      • RiotClientServices.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1985:08:03 07:48:49+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 6908928
InitializedDataSize: 63644672
UninitializedDataSize: -
EntryPoint: 0x61785c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 91.0.2.1870
ProductVersionNumber: 91.0.2.1870
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Riot Client
FileVersion: 91.0.2.1870
InternalName: Riot Client
OriginalFileName: RiotClientServices.exe
ProductName: RiotClient
ProductVersion: 91.0.2.1870
CompanyName: Riot Games, Inc.
LegalCopyright: (c) 2019 Riot Games, Inc.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
112
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start riotclientservices.exe riotclientservices.exe

Process information

PID
CMD
Path
Indicators
Parent process
6872"C:\Users\admin\Desktop\RiotClientServices.exe" C:\Users\admin\Desktop\RiotClientServices.exe
explorer.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
MEDIUM
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7048"C:\Users\admin\Desktop\RiotClientServices.exe" "--agent" "--riotclient-app-port=49721" "--riotclient-auth-token=ZT5fxO5DW9iDkaS6vtCBhA" "--app-root=C:/Users/admin/Desktop" "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/RiotClientServices/Update" "--log-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices/Logs" "--user-data-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices" "--session-id=e04e2925-cb33-cb45-9e5b-5a83bcd85bd1" C:\Users\admin\Desktop\RiotClientServices.exe
RiotClientServices.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
HIGH
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 467
Read events
8 448
Write events
13
Delete events
6

Modification events

(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D81A0000EAD33BD3E0E5DA01
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
AF7933757B26A58E85DE9B9F43338875A020D315E75A492D72CDE819F62A87EA
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Riot Games
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
177B67F45F99B809E9348BABBA8952C9468C46C64B324C182C7F037C8AC43823
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
笗饟স㓩ꮋ覺쥒豆왆㉋ᡌ缬簃쒊⌸
Executable files
6
Suspicious files
39
Text files
3
Unknown types
21

Dropped files

PID
Process
Filename
Type
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\LICENSES.chromium.html
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\Riot Client.exe
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\icudtl.dat
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\chrome_200_percent.pakbinary
MD5:5604B67E3F03AB2741F910A250C91137
SHA256:1408387E87CB5308530DEF6CE57BDC4E0ABBBAA9E70F687FD6C3A02A56A0536C
6872RiotClientServices.exeC:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.db-journalbinary
MD5:9E3E67745C767F13FC9C9DC827254922
SHA256:B68C1CD8019B84A6B405B26E211076DB01BD1D6305CB437836FCBEB7E74BB20E
6872RiotClientServices.exeC:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.manifestbinary
MD5:3E4BF746075AB6148BF8E3531F9C6934
SHA256:5FE43A01F1E50CEB1A2EBFDEBCE44BA6DDF958F555432C55DCB36F1C372BED27
6872RiotClientServices.exeC:\ProgramData\Riot Games\machine.cfgtext
MD5:193A98E540281DBBED57069BB936EF10
SHA256:AC3809BEABAA69224C1019F4800539A96C079E472FF3B3E3E95632094F925B37
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\LICENSE.electron.txttext
MD5:4D42118D35941E0F664DDDBD83F633C5
SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\chrome_100_percent.pakbinary
MD5:D31F3439E2A3F7BEE4DDD26F46A2B83F
SHA256:9F79F46CA911543EAD096A5EE28A34BF1FBE56EC9BA956032A6A2892B254857E
6872RiotClientServices.exeC:\Riot Games\Riot Client\Microsoft.Gaming.XboxApp.Extensions.winmdexecutable
MD5:D6ABF638473C8FA2B7F88961D5402FCF
SHA256:000D645A07789C850A7B4CB63A864CEDE47F9DE81ADC8534EC1FECA3807843C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
141
TCP/UDP connections
60
DNS requests
8
Threats
136

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
unknown
HEAD
200
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
unknown
POST
200
104.16.55.40:443
https://data.riotgames.com/collector/v2/events
unknown
text
4 b
unknown
GET
200
104.18.157.37:443
https://clientconfig.rpg.riotgames.com/api/v1/config/public?region=NA&os=windows&app=Riot%20Client&version=91.0.2.1870&patchline=KeystoneFoundationLiveWin&namespace=keystone.self_update
unknown
binary
218 b
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6872
RiotClientServices.exe
104.16.56.40:443
data.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.18.156.37:443
clientconfig.rpg.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.173.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.174.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
data.riotgames.com
  • 104.16.56.40
  • 104.16.55.40
whitelisted
clientconfig.rpg.riotgames.com
  • 104.18.156.37
  • 104.18.157.37
whitelisted
ks-foundation.secure.dyn.riotcdn.net
  • 104.17.173.5
  • 104.17.174.5
whitelisted

Threats

Found threats are available for the paid subscriptions
136 ETPRO signatures available at the full report
Process
Message
RiotClientServices.exe
ALWAYS| Running Dev Feature 2 Installer.
RiotClientServices.exe
OKAY| Loaded system.yaml from embedded resource in executable.
RiotClientServices.exe
ALWAYS| App Root: C:/Users/admin/Desktop
RiotClientServices.exe
OKAY| Initializing Open Telemetry
RiotClientServices.exe
OKAY| Initialize Open Telemetry Logger
RiotClientServices.exe
OKAY| Open Telemetry Logger provider set successfully.
RiotClientServices.exe
ERROR| Reading self-update install settings: Error opening file: Error code 3: The system cannot find the path specified.
RiotClientServices.exe
ALWAYS| Launcher Build CL:1870
RiotClientServices.exe
OKAY| Launcher enabled with the following metadata:
RiotClientServices.exe
OKAY| appName: Riot Client Launcher
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RiotClientServices.exe