The shadowclone command is a reflective memory dumping utility. It uses PssCreateSnapshot and MiniDumpWriteDump WinAPI to dump the memory to C:\Windows\Memory.DMP. PssCreateSnapshot API doesn’t dump the memory of Lsass.exe directly. It takes a Virtual snapshot of the memory of lsass.exe and then dumps the memory from the virtual snapshot. The dump file can be downloaded using the download command and passwords and NTLM hashes can be retrieved offline using Mimikatz.