Static analysis extracts indicators from the malicious code of the binary files. However due to obfuscation and packing techniques, it is often difficult to detect malware only by static analysis. For packed malware, a self$-$modifying unpacking program unpack the malicious PE and then it is loaded into memory for execution. When malware is executed in a sandbox, runtime behaviour of malware can be extracted including creations of files and folders, functions and library calls, modification in the registries, addition of new services, creation and modification of processes, process injections, modifications in the stratup programs, and installations of new applications. Attackers try to leave as less traces as possible in the file system or disk. So memory forensic is becoming a critical tool to extract the runtime behaviour of malware and detect the malware.