.. /Procdump.exe
Star

SysInternals Memory Dump Tool


Paths:

Resources:
Acknowledgements:

Detection:

Execute

Loads calc.dll where DLL is configured with a 'MiniDumpCallbackRoutine' exported function. Valid process must be provided as dump still created.
procdump.exe -md calc.dll explorer.exe
Usecase: Performs execution of unsigned DLL.
Privileges required: User
OS: Windows 8.1 and higher, Windows Server 2012 and higher.
MITRE ATT&CK®: T1202



Loads calc.dll where configured with DLL_PROCESS_ATTACH execution, process argument can be arbitrary.
procdump.exe -md calc.dll foobar
Usecase: Performs execution of unsigned DLL.
Privileges required: User
OS: Windows 8.1 and higher, Windows Server 2012 and higher.
MITRE ATT&CK®: T1202