What commands are needed to create a snapshot that includes the virtual machine's memory, and why is that important for credential extraction?

To include memory when creating a snapshot, use `vim-cmd vmsvc/snapshot.create <vmid> <name> <description> true true`. Setting the fourth parameter to `true` ensures the memory (`.vmem` file) is captured. Without this flag, the snapshot lacks the RAM contents, which are critical because processes like `lsass.exe` (which hold active credentials) reside only in memory. The `.vmem` file allows tools like volatility to extract live credentials, including NTLM hashes and Kerberos tickets, enabling lateral movement from the ESXi host to the Windows VM. This approach complements other credential theft techniques such as using PHP scripts to obtain Net-NTLM hashes from browsers.