ProcDump
ProcDump is a legitimate Microsoft Sysinternals utility that is widely abused by threat actors for credential access, most commonly by creating memory dumps of lsass.exe to extract credentials from LSASS memory. The content specifically describes use of ProcDump for LSASS dumping with commands such as "procdump.exe -accepteula -ma lsass.exe lsass.dmp" and renamed variants including pr.exe, pr64.exe, p.exe, mpms.exe, and prc64.exe to reduce detection. Beyond LSASS, the content also notes ProcDump being used to dump the running Outlook process to extract Microsoft 365/OAuth tokens.
Observed behavior in the content includes dumping LSASS memory to disk for offline credential extraction, use of renamed ProcDump binaries, and use as part of broader post-compromise activity including credential theft and lateral movement. Example paths and artifacts mentioned include "%ALLUSERSPROFILE%\p.exe -accepteula -ma lsass.exe C:\ProgramData\xxx.zip", lsass.dmp, and renamed binaries such as c:\windows\system32\prc64.exe.
Threat actors and clusters explicitly associated with ProcDump use in the content include Elephant Beetle/FIN13, Kimsuky, APT33, APT39, PARINACOTA, Lazarus/Andariel/Onyx Sleet-related activity, ToddyCat, FamousSparrow, Fox Kitten, HAFNIUM, Earth Lusca, Indrik Spider, and ransomware or intrusion activity involving LockBit 3.0, BianLian, Everest-related operations, and Play-associated reporting. In these cases, ProcDump is used alongside other credential theft and post-exploitation tooling such as Mimikatz, Windows Credential Editor, Dumpert, Cobalt Strike, Impacket, and PowerShell-based tooling.
Targeted environments in the content are primarily Windows systems, including domain controllers, IIS web servers, Exchange/Outlook environments, backup servers, and enterprise endpoints. Associated victim sectors and targeting contexts mentioned in the content include finance and commerce organizations in Latin America, telecommunications and travel organizations, energy providers, hotels, government and military networks, healthcare, manufacturing, agriculture, and South Korean IIS web servers.
The content consistently characterizes ProcDump as dual-use software: a benign administrative/debugging tool that adversaries abuse for credential dumping and token theft during intrusions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
14 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat group was observed harvesting credentials on Windows machines by using renamed versions of the ProcDump executable (pr.exe, pr64.exe and more) for dumping the LSASS.exe process memory.
„… wechselten die Angreifer zu einem Memory-Dump-Tool (ProcDump von Sysinternals), um die Tokens direkt aus dem laufenden Outlook-Prozess zu extrahieren.“
"A small utility that drops ProcDump on disk and uses it to dump the lsass process..."
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
"Kimsuky uses ProcDump... inclusion of ProcDump in the BabyShark malware."
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
APT33 has used... ProcDump to dump credentials... FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory...
By abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Due to mistakes on the attacker’s side, we managed to retrieve multiple files from Earth Krahang’s servers, including samples, configuration files, and log files from its attack tools.
Execution
2 techniquesAttackers could abuse this by appending the string to known malicious tools.
The JavaScript code pulled down an obfuscated PowerShell script that was run in memory. The PowerShell script was responsible for deploying NetSupport onto the system...
Stealth
2 techniquesThere are several exceptions for werfault such as: (contains_one_of (lowcase ?file_info_description) "windows problem reporting" "windows fault reporting"))) After adding this file info description to procdump64.exe (renamed to test.exe), this rule no longer triggers
We observed the threat actors deleting their tools (Procdump, Network scanning scripts, etc.) from hosts.
Credential Access
3 techniquesThe threat group was observed harvesting credentials on Windows machines by using renamed versions of the ProcDump executable... In addition, they extracted the SAM and SYSTEM registry hives using Reg.exe binary... When compromising Windows Domain Controllers servers, the group harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised DC to locally decrypt it.
Accessing credentials by dumping Local Security Authority Subsystem Service (LSASS) with Mimikatz or ProcDump
There are several different ways to dump LSASS... Another option is to dump the LSASS process with Task Manager Sekurlsa::minidump can open the dump file.
Discovery
1 techniqueThe threat actor executed a command to identify the PID of the lsass.exe process. This allowed them to target the correct process to dump lsass.
Lateral Movement
2 techniquesNext, the threat actor transferred Sysinternals tool Procdump over SMB, to the ProgramData folders on multiple hosts in the environment.
The threat actors also transferred ProcDump from the beachhead to multiple workstations.
Command and Control
1 techniqueBumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host.
Other
1 techniqueIOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sysinternals dump utility used to create LSASS memory dump files that can later be parsed for credentials.
Sysinternals-Speicherdump-Tool, hier missbraucht, um OAuth2/Microsoft-365-Token aus dem Speicher des laufenden Outlook-Prozesses zu extrahieren.
Legitimate Sysinternals utility abused to dump process memory (here, Outlook) to recover OAuth 2.0 access tokens when browser token extraction was blocked.
Sysinternals process dump utility abused by Play/Balloonfly to dump process memory (commonly LSASS) for credential theft during ransomware operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.