The shadowcloak command is a unique minidump technique which doesn’t use Minidumpwritedump API call. Most of the API calls for shadowcloak were written from scratch using ReactOS instead of calling the APIs from windlls. This helps to avoid calling of any API call which might be hooked. Shadowcloak uses Syscalls to read the memory of lsass.exe and download the memory buffer directly to the Ratel Server. This command takes a while to fully complete since it extracts chunks of memory blocks and downloads them to the Ratel server.