Abstract
Run files using the D2Winpmem automation to return memory dump file to War Room when investigating malware.
You can run files using the D2Winpmem automation, which returns the memory dump file to the War Room. Useful when dealing with any type of malware.
Go to the Automations page and search for D2Winpmem automation.
Click Copy Script.
In the
//+winpmem/winpmem_2.0.1.exe
line in the script, change it to the file you want to run. For example,//+New-collectorD2/New-collectorD2.bat
In the
var exename = 'winpmem_2.0.1.exe';
line write the file you want to execute.In the
var dumpFile
add the file you want to run.//+New-collectorD2/New-collectorD2.bat try { if (env.OS !== 'windows') { throw ('script can only run on Windows'); } var arch = wmi_query('select OSArchitecture from win32_operatingsystem')[0].OSArchitecture; var exename = 'Testd2.bat'; var dumpFile = env.TEMP+ '\\New-collectorD2.bat'; var output = execute('cmd /c dir /s ' + env.TEMP , 30); // 10 minutes timeout pack(output); if (output.Success) { pack_file(dumpFile); del(dumpFile); } else { throw output.Error; } } catch (ex) { pack('Winpmem failed: ' + ex); }
Click Save.