Dumping

Tools:
http://split-code.com/processdump.html
https://github.com/hasherezade/pe-sieve/releases
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
https://github.com/limbenjamin/TCPHound
https://github.com/CodeCracker-Tools/MegaDumper (compiled hash ab7691992a11bb2def8228f85f4f098594ff2b4405860eba6e1f99e912761cf9 on Hybrid Analysis and Malshare)
For windows users to use instead of stringex below:
https://www.mzrst.com/ PPEE (puppy)
https://www.winitor.com/get.html PEStudio

Setup
all apps in C:\Apps (or wherever you want)

on a known clean VM/bare metal box, run the below to create known good hash db:
pd64 -db gen
pd64 -db add C:\Apps

Sometimes I change the names of the applications in case some malware search the drive for them.

Run the malware and when you see a connection attempt run the dump.bat script, if this is a .NET binary dump it via MegaDumper as well
you should end up with several files and usually a process_<digits> dir:
32952333 Oct 25  2019 DHL 4562262.exe_191025_121116.dmp
  155648 Oct 25  2019 DHL 4562262_exe_PID918_DHL 4562262.exe_400000_x86.exe
  516096 Oct 25  2019 DHL 4562262_exe_PID918_hiddenmodule_1E0000_x86.exe
    4096 Oct 25 11:26 process_2328

use stringex <filename> (or PPEE or PEStudio) and look for interesting strings...a safe bet is to look for the network hosts you saw the malware connecting to as a starting point.

dump.bat:
C:\Apps\pd64.exe -pid %1
C:\Apps\pe-sieve64 /imp /pid %1
C:\Apps\procdump -ma %1

stringex:
#!/bin/bash
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/' ; strings -a -td -eb "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 U \2/') | sort -n