rdrleakdiag.exe

  • File Path: C:\WINDOWS\system32\rdrleakdiag.exe
  • Description: Microsoft Windows Resource Leak Diagnostic

Hashes

Type Hash
MD5 2A579DF9E345F7383F19B50B1E445505
SHA1 89F30AB6CA436A818FF0913ED4E7CE5CEDBE27CA
SHA256 FCC8CBD3167F09BF585F7F611EF2FC720B8697E2EEFB4154BB2370C681A18651
SHA384 15808A75F7266C7D22941A7CABAD1EA5D451361804085A238BA0AF6BD00C24EC0EBAD01EC84B925727B45A2549E9BCE4
SHA512 8E059780B2C33A4BDD54061513C706E95550BB0BAC1C7BB2CB9BC570181AAEB2DEC3B8EDC8A86EC878CF2EB29F0135C47A985520EA4C36528BDC8B3F671DBA59
SSDEEP 768:Fvsr4G0U6aPNe0QnPRF4sSnKnF4jFYLEWVZ0xLxTXcDko6PNDo2NDYMXdsz:FvuA7PRSsdOyDGwQo6PNDYMXd
IMP BBAEDDB424D5E6AD0FEA37AAAE4FA16C
PESHA1 254F2A084763131E2EB6C595893236C77AC16E55
PE256 A443AF7567602A904A3E6D95AFA8631DFCD02F1615AC28E3332538F9322B3978

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\rdrleakdiag.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RdrLeakDiag.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/fcc8cbd3167f09bf585f7f611ef2fc720b8697e2eefb4154bb2370c681a18651/detection

Possible Misuse

The following table contains possible examples of rdrleakdiag.exe being misused. While rdrleakdiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_process_dump_rdrleakdiag.yml title: Process Dump via RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_process_dump_rdrleakdiag.yml description: Detects a process memory dump performed by RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_process_dump_rdrleakdiag.yml OriginalFileName: RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml title: RdrLeakDiag Process Dump DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml Image\|endswith: '\rdrleakdiag.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.