File name:

RiotClientServices.exe

Full analysis: https://app.any.run/tasks/be2ebe1e-dcb1-49de-8c90-f946326c2595
Verdict: Malicious activity
Analysis date: August 03, 2024, 20:07:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CA7EF8FD39C4D993892401B22C9063B6

SHA1:

E36123817F82DB1386CBEBFACED782162A3A2ECC

SHA256:

8BF154E63415C66AB64ED51E62C22659C8F52B03C74E06DDE6F30ED920862C14

SSDEEP:

786432:r7QfqcQT6F+jKt2BAfgg4YEDxKzMT/aYyU3V7l68g:XQfdQOUKt2BAf14YIxAMr/3368g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RiotClientServices.exe (PID: 6872)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RiotClientServices.exe (PID: 6872)

    • Reads the date of Windows installation

      • RiotClientServices.exe (PID: 6872)

    • Application launched itself

      • RiotClientServices.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • RiotClientServices.exe (PID: 6872)

    • Process drops legitimate windows executable

      • RiotClientServices.exe (PID: 6872)

  • INFO

    • Checks supported languages

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Creates files in the program directory

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Creates files or folders in the user directory

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Process checks computer location settings

      • RiotClientServices.exe (PID: 6872)

    • Reads the computer name

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Create files in a temporary directory

      • RiotClientServices.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1985:08:03 07:48:49+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 6908928
InitializedDataSize: 63644672
UninitializedDataSize: -
EntryPoint: 0x61785c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 91.0.2.1870
ProductVersionNumber: 91.0.2.1870
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Riot Client
FileVersion: 91.0.2.1870
InternalName: Riot Client
OriginalFileName: RiotClientServices.exe
ProductName: RiotClient
ProductVersion: 91.0.2.1870
CompanyName: Riot Games, Inc.
LegalCopyright: (c) 2019 Riot Games, Inc.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
112
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start riotclientservices.exe riotclientservices.exe

Process information

PID
CMD
Path
Indicators
Parent process
6872"C:\Users\admin\Desktop\RiotClientServices.exe" C:\Users\admin\Desktop\RiotClientServices.exe
explorer.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
MEDIUM
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7048"C:\Users\admin\Desktop\RiotClientServices.exe" "--agent" "--riotclient-app-port=49721" "--riotclient-auth-token=ZT5fxO5DW9iDkaS6vtCBhA" "--app-root=C:/Users/admin/Desktop" "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/RiotClientServices/Update" "--log-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices/Logs" "--user-data-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices" "--session-id=e04e2925-cb33-cb45-9e5b-5a83bcd85bd1" C:\Users\admin\Desktop\RiotClientServices.exe
RiotClientServices.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
HIGH
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 467
Read events
8 448
Write events
13
Delete events
6

Modification events

(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D81A0000EAD33BD3E0E5DA01
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
AF7933757B26A58E85DE9B9F43338875A020D315E75A492D72CDE819F62A87EA
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Riot Games
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
177B67F45F99B809E9348BABBA8952C9468C46C64B324C182C7F037C8AC43823
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
笗饟স㓩ꮋ覺쥒豆왆㉋ᡌ缬簃쒊⌸
Executable files
6
Suspicious files
39
Text files
3
Unknown types
21

Dropped files

PID
Process
Filename
Type
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\LICENSES.chromium.html
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\Riot Client.exe
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\icudtl.dat
MD5:
SHA256:
6872RiotClientServices.exeC:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.manifestbinary
MD5:3E4BF746075AB6148BF8E3531F9C6934
SHA256:5FE43A01F1E50CEB1A2EBFDEBCE44BA6DDF958F555432C55DCB36F1C372BED27
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientCrashHandler.exeexecutable
MD5:6BB6CD85ED3CF88E5E7541612D8190FF
SHA256:D1A9A77ABE60E39A4A37AA9C307B8A6E314B48F66C82FC58AC0F1AE45A537EDF
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\locales\af.pakbinary
MD5:198092A7A82EFCED4D59715BD3E41703
SHA256:D63222C4A20FA9741F5262634CF9751F22FBB4FCD9D3138D7C8D49E0EFB57FBA
6872RiotClientServices.exeC:\Riot Games\Riot Client\Microsoft.Gaming.XboxApp.Extensions.winmdexecutable
MD5:D6ABF638473C8FA2B7F88961D5402FCF
SHA256:000D645A07789C850A7B4CB63A864CEDE47F9DE81ADC8534EC1FECA3807843C0
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\chrome_100_percent.pakbinary
MD5:D31F3439E2A3F7BEE4DDD26F46A2B83F
SHA256:9F79F46CA911543EAD096A5EE28A34BF1FBE56EC9BA956032A6A2892B254857E
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\d3dcompiler_47.dllexecutable
MD5:AB3BE0C427C6E405FAD496DB1545BD61
SHA256:827D12E4ED62520B663078BBF26F95DFD106526E66048CF75B5C9612B2FB7CE6
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\libEGL.dllexecutable
MD5:51CC9F3891CFE33E095F901C8E5F121D
SHA256:961AFF31CAB097EBB973A32140C4F87C415734412771CF1FDFE24DDC675B54C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
141
TCP/UDP connections
60
DNS requests
8
Threats
136

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
HEAD
200
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
GET
200
104.18.157.37:443
https://clientconfig.rpg.riotgames.com/api/v1/config/public?region=NA&os=windows&app=Riot%20Client&version=91.0.2.1870&patchline=KeystoneFoundationLiveWin&namespace=keystone.self_update
unknown
binary
218 b
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6872
RiotClientServices.exe
104.16.56.40:443
data.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.18.156.37:443
clientconfig.rpg.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.173.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.174.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
data.riotgames.com
  • 104.16.56.40
  • 104.16.55.40
whitelisted
clientconfig.rpg.riotgames.com
  • 104.18.156.37
  • 104.18.157.37
whitelisted
ks-foundation.secure.dyn.riotcdn.net
  • 104.17.173.5
  • 104.17.174.5
whitelisted

Threats

Found threats are available for the paid subscriptions
136 ETPRO signatures available at the full report
Process
Message
RiotClientServices.exe
ALWAYS| Running Dev Feature 2 Installer.
RiotClientServices.exe
OKAY| Loaded system.yaml from embedded resource in executable.
RiotClientServices.exe
ALWAYS| App Root: C:/Users/admin/Desktop
RiotClientServices.exe
OKAY| Initializing Open Telemetry
RiotClientServices.exe
OKAY| Initialize Open Telemetry Logger
RiotClientServices.exe
OKAY| Open Telemetry Logger provider set successfully.
RiotClientServices.exe
ERROR| Reading self-update install settings: Error opening file: Error code 3: The system cannot find the path specified.
RiotClientServices.exe
ALWAYS| Launcher Build CL:1870
RiotClientServices.exe
OKAY| Launcher enabled with the following metadata:
RiotClientServices.exe
OKAY| appName: Riot Client Launcher
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RiotClientServices.exe