rdrleakdiag.exe

  • File Path: C:\Windows\SysWOW64\rdrleakdiag.exe
  • Description: Microsoft Windows Resource Leak Diagnostic

Hashes

Type Hash
MD5 38493CA013248385CA27A62062636ABA
SHA1 C0FB3D581A4716F31537058C9FBDF4A97AC1CB18
SHA256 420797C47485EDB779E4ADC7445F12CE4C16BA310BCC9562492798E58EBA3352
SHA384 049341B4E19659E6EAAF5963FED00E08887729F52E9F67D7F03233E97EF90A788FF2C4957EE64C5EA6F46231F83FD217
SHA512 67E8FBFEC6E8C3590223EC55F7D6EB8AD722350268383CF176D24E83C6B19CB929AE83359F9C67F8E5DC9F818AB3FD74590BD9094E8A6FAB3C8D0E1D2C11BD4B
SSDEEP 768:H1XbCjzgom/r0LoKeM93UycvBNRgkgOcT7+cwQ7txGEhsO/pIS6VNco2NU+/zF3r:Ke+cM15HsE56VNB+1J1
IMP 98FF00193ED1CAD8E5DA182FB187B5D1
PESHA1 7CDA9DE51CD377EC1B1E17EA26FACBF654810D95
PE256 49A21120FDD9D561B353678D38CD97D7F3830F162A6F668E0C89A2BFD62F15AA

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\rdrleakdiag.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RdrLeakDiag.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/420797c47485edb779e4adc7445f12ce4c16ba310bcc9562492798e58eba3352/detection

Possible Misuse

The following table contains possible examples of rdrleakdiag.exe being misused. While rdrleakdiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_process_dump_rdrleakdiag.yml title: Process Dump via RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_process_dump_rdrleakdiag.yml description: Detects a process memory dump performed by RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_process_dump_rdrleakdiag.yml OriginalFileName: RdrLeakDiag.exe DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml title: RdrLeakDiag Process Dump DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory DRL 1.0
sigma proc_creation_win_proc_dump_rdrleakdiag.yml Image\|endswith: '\rdrleakdiag.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.