File name:

RiotClientServices.exe

Full analysis: https://app.any.run/tasks/be2ebe1e-dcb1-49de-8c90-f946326c2595
Verdict: Malicious activity
Analysis date: August 03, 2024, 20:07:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CA7EF8FD39C4D993892401B22C9063B6

SHA1:

E36123817F82DB1386CBEBFACED782162A3A2ECC

SHA256:

8BF154E63415C66AB64ED51E62C22659C8F52B03C74E06DDE6F30ED920862C14

SSDEEP:

786432:r7QfqcQT6F+jKt2BAfgg4YEDxKzMT/aYyU3V7l68g:XQfdQOUKt2BAf14YIxAMr/3368g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RiotClientServices.exe (PID: 6872)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • RiotClientServices.exe (PID: 6872)

    • Application launched itself

      • RiotClientServices.exe (PID: 6872)

    • Process drops legitimate windows executable

      • RiotClientServices.exe (PID: 6872)

    • Reads the date of Windows installation

      • RiotClientServices.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • RiotClientServices.exe (PID: 6872)

  • INFO

    • Creates files in the program directory

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Creates files or folders in the user directory

      • RiotClientServices.exe (PID: 7048)
      • RiotClientServices.exe (PID: 6872)

    • Checks supported languages

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Reads the computer name

      • RiotClientServices.exe (PID: 6872)
      • RiotClientServices.exe (PID: 7048)

    • Process checks computer location settings

      • RiotClientServices.exe (PID: 6872)

    • Create files in a temporary directory

      • RiotClientServices.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1985:08:03 07:48:49+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.4
CodeSize: 6908928
InitializedDataSize: 63644672
UninitializedDataSize: -
EntryPoint: 0x61785c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 91.0.2.1870
ProductVersionNumber: 91.0.2.1870
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Riot Client
FileVersion: 91.0.2.1870
InternalName: Riot Client
OriginalFileName: RiotClientServices.exe
ProductName: RiotClient
ProductVersion: 91.0.2.1870
CompanyName: Riot Games, Inc.
LegalCopyright: (c) 2019 Riot Games, Inc.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
112
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start riotclientservices.exe riotclientservices.exe

Process information

PID
CMD
Path
Indicators
Parent process
6872"C:\Users\admin\Desktop\RiotClientServices.exe" C:\Users\admin\Desktop\RiotClientServices.exe
explorer.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
MEDIUM
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7048"C:\Users\admin\Desktop\RiotClientServices.exe" "--agent" "--riotclient-app-port=49721" "--riotclient-auth-token=ZT5fxO5DW9iDkaS6vtCBhA" "--app-root=C:/Users/admin/Desktop" "--data-root=C:/ProgramData/Riot Games/Metadata" "--update-root=C:/ProgramData/Riot Games/Metadata/RiotClientServices/Update" "--log-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices/Logs" "--user-data-root=C:/Users/admin/AppData/Local/Riot Games/RiotClientServices" "--session-id=e04e2925-cb33-cb45-9e5b-5a83bcd85bd1" C:\Users\admin\Desktop\RiotClientServices.exe
RiotClientServices.exe
User:
admin
Company:
Riot Games, Inc.
Integrity Level:
HIGH
Description:
Riot Client
Version:
91.0.2.1870
Modules
Images
c:\users\admin\desktop\riotclientservices.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
8 467
Read events
8 448
Write events
13
Delete events
6

Modification events

(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D81A0000EAD33BD3E0E5DA01
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
AF7933757B26A58E85DE9B9F43338875A020D315E75A492D72CDE819F62A87EA
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Riot Games
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
177B67F45F99B809E9348BABBA8952C9468C46C64B324C182C7F037C8AC43823
(PID) Process:(6872) RiotClientServices.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
笗饟স㓩ꮋ覺쥒豆왆㉋ᡌ缬簃쒊⌸
Executable files
6
Suspicious files
39
Text files
3
Unknown types
21

Dropped files

PID
Process
Filename
Type
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\LICENSES.chromium.html
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\Riot Client.exe
MD5:
SHA256:
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\icudtl.dat
MD5:
SHA256:
6872RiotClientServices.exeC:\ProgramData\Riot Games\machine.cfgtext
MD5:193A98E540281DBBED57069BB936EF10
SHA256:AC3809BEABAA69224C1019F4800539A96C079E472FF3B3E3E95632094F925B37
6872RiotClientServices.exeC:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.db-journalbinary
MD5:9E3E67745C767F13FC9C9DC827254922
SHA256:B68C1CD8019B84A6B405B26E211076DB01BD1D6305CB437836FCBEB7E74BB20E
6872RiotClientServices.exeC:\ProgramData\Riot Games\Metadata\Riot Client\Riot Client.manifestbinary
MD5:3E4BF746075AB6148BF8E3531F9C6934
SHA256:5FE43A01F1E50CEB1A2EBFDEBCE44BA6DDF958F555432C55DCB36F1C372BED27
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\d3dcompiler_47.dllexecutable
MD5:AB3BE0C427C6E405FAD496DB1545BD61
SHA256:827D12E4ED62520B663078BBF26F95DFD106526E66048CF75B5C9612B2FB7CE6
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\libEGL.dllexecutable
MD5:51CC9F3891CFE33E095F901C8E5F121D
SHA256:961AFF31CAB097EBB973A32140C4F87C415734412771CF1FDFE24DDC675B54C2
6872RiotClientServices.exeC:\Riot Games\Riot Client\RiotClientElectron\locales\ar.pakpgc
MD5:98F8A48892B41E64BEF135B86F3D4A6C
SHA256:E34D5CABAED4634C672591074057C12947BC9E728004228A9E75F87829F4A48A
6872RiotClientServices.exeC:\Riot Games\Riot Client\Resources\icon.icoimage
MD5:6D64639AB95A44FA7967E6A5C481662B
SHA256:ED7C539DD00734FB54C3504FC01123596F5AA3031DC0ECA5160CEF34DE5CAC5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
141
TCP/UDP connections
60
DNS requests
8
Threats
136

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.18.157.37:443
https://clientconfig.rpg.riotgames.com/api/v1/config/public?region=NA&os=windows&app=Riot%20Client&version=91.0.2.1870&patchline=KeystoneFoundationLiveWin&namespace=keystone.self_update
US
binary
218 b
unknown
HEAD
200
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.183:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
GET
206
2.16.10.182:443
https://ks-foundation.secure.dyn.riotcdn.net/channels/public/releases/D77B432432F01CDD.manifest
unknown
binary
34.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6872
RiotClientServices.exe
104.16.56.40:443
data.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.18.156.37:443
clientconfig.rpg.riotgames.com
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.173.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown
6872
RiotClientServices.exe
104.17.174.5:443
ks-foundation.secure.dyn.riotcdn.net
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
data.riotgames.com
  • 104.16.56.40
  • 104.16.55.40
whitelisted
clientconfig.rpg.riotgames.com
  • 104.18.156.37
  • 104.18.157.37
whitelisted
ks-foundation.secure.dyn.riotcdn.net
  • 104.17.173.5
  • 104.17.174.5
whitelisted

Threats

Found threats are available for the paid subscriptions
136 ETPRO signatures available at the full report
Process
Message
RiotClientServices.exe
ALWAYS| Running Dev Feature 2 Installer.
RiotClientServices.exe
OKAY| Loaded system.yaml from embedded resource in executable.
RiotClientServices.exe
ALWAYS| App Root: C:/Users/admin/Desktop
RiotClientServices.exe
OKAY| Initializing Open Telemetry
RiotClientServices.exe
OKAY| Initialize Open Telemetry Logger
RiotClientServices.exe
OKAY| Open Telemetry Logger provider set successfully.
RiotClientServices.exe
ERROR| Reading self-update install settings: Error opening file: Error code 3: The system cannot find the path specified.
RiotClientServices.exe
ALWAYS| Launcher Build CL:1870
RiotClientServices.exe
OKAY| Launcher enabled with the following metadata:
RiotClientServices.exe
OKAY| appName: Riot Client Launcher
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RiotClientServices.exe