How can an attacker use VMware ESXi snapshot files to extract credentials from a Windows domain controller VM?

An attacker with control over VMware ESXi can create a snapshot of a target Windows virtual machine (including memory) using commands like `vim-cmd vmsvc/snapshot.create`. The resulting `.vmem` file (which captures the VM's RAM) can then be analyzed with the forensic tool volatility. By running plugins such as `hashdump` and `lsadump` against the snapshot, the attacker retrieves local user password hashes and LSA secrets. This technique enables lateral movement from the hypervisor to the guest OS, similar to other post-exploitation lateral movement methods like exploiting net session or using WMIC.