ProcDump
ProcDump is a legitimate Microsoft Sysinternals memory-dump utility that is widely abused by threat actors for credential access and related post-exploitation activity. Across the provided reporting, its most common malicious use is dumping the memory of lsass.exe to obtain credentials, hashes, tickets, and other secrets for lateral movement, privilege escalation, and follow-on compromise. Reported command lines include variants such as "procdump.exe -accepteula -ma lsass.exe lsass.dmp", "%ALLUSERSPROFILE%\p.exe -accepteula -ma lsass.exe C:\ProgramData\xxx.zip", and "procdump64.exe -ma lsass.exe". Actors frequently rename the binary to evade detection, with observed names including pr.exe, pr64.exe, mpms.exe, and p.exe, and one report cited placement as c:\windows\system32\prc64.exe.
The content also documents ProcDump being used beyond LSASS dumping. In one ToddyCat case, attackers used Sysinternals ProcDump to dump the running Outlook process to extract Microsoft 365 OAuth tokens after browser-based token theft was blocked. The tool is repeatedly described as part of broader hands-on-keyboard intrusions and ransomware or espionage operations.
Threat actors and groups explicitly associated with ProcDump use in the content include Kimsuky, APT33, APT39, FIN13, Elephant Beetle, PARINACOTA, Lazarus/Andariel-related activity, ToddyCat, FamousSparrow, and operators in Everest and other ransomware-linked intrusions. Additional reporting references its use in campaigns involving compromised IIS servers, VMware Horizon exploitation, phishing-led domain compromise, and exploitation of public-facing applications.
Observed victim environments and targets include Windows systems generally, domain controllers, backup servers, IIS web servers in South Korea, finance and commerce organizations in Latin America, telecommunications and travel organizations, energy providers, hotels, government and military networks, and enterprise Microsoft Exchange or Microsoft 365 environments.
Detection-relevant indicators in the content focus on LSASS access and dump creation rather than the tool name alone. Reported telemetry includes Windows Security Event ID 4656 handle requests to \Windows\System32\lsass.exe with suspicious access masks such as 0x1fffff, 0x1010, 0x120089, and 0x1F3FFF; Sysmon Event ID 10 for LSASS access; Sysmon Event ID 11 for creation of lsass*.dmp files; and call traces involving dbghelp. Because ProcDump is a legitimate administrative tool, defenders should expect adversaries to abuse renamed copies and blend usage into normal administration.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
14 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat group was observed harvesting credentials on Windows machines by using renamed versions of the ProcDump executable (pr.exe, pr64.exe and more) for dumping the LSASS.exe process memory.
„… wechselten die Angreifer zu einem Memory-Dump-Tool (ProcDump von Sysinternals), um die Tokens direkt aus dem laufenden Outlook-Prozess zu extrahieren.“
"A small utility that drops ProcDump on disk and uses it to dump the lsass process..."
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
"Kimsuky uses ProcDump... inclusion of ProcDump in the BabyShark malware."
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Credential Access
3 techniques
Credential Access
Among those activities were: Credential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.
Discovery
1 technique
Discovery
Lateral Movement
2 techniques
Lateral Movement
Command and Control
1 technique
Command and Control
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sysinternals dump utility used to create LSASS memory dump files that can later be parsed for credentials.
Sysinternals-Speicherdump-Tool, hier missbraucht, um OAuth2/Microsoft-365-Token aus dem Speicher des laufenden Outlook-Prozesses zu extrahieren.
Legitimate Sysinternals utility abused to dump process memory (here, Outlook) to recover OAuth 2.0 access tokens when browser token extraction was blocked.
Sysinternals process dump utility abused by Play/Balloonfly to dump process memory (commonly LSASS) for credential theft during ransomware operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.