Process Memory Dump

The memdump command uses the same technique as Shadowcloak i.e. using syscalls and memory reads to avoid touching disk, but instead of dumping lsass.exe, it can dump the memory of any other process. This command requires that your process should have privileges to read the memory of the target process. The below figure shows dumping the memory of explorer.exe and exfiltrating it directly to your Ratel server without dropping it to disk using obfuscated syscalls.