Return the Memory Dump File Script

Run files using the D2Winpmem automation to return memory dump file to War Room when investigating malware. D2 agents and shared agents. Cortex XSOAR
You can run files using the D2Winpmem automation, which returns the memory dump file to the War Room. Useful when dealing with any type of malware.
  1. Go to the
    Automations
    page and search for
    D2Winpmem
    automation.
  2. Click
    Copy Script
    .
  3. In the
    //+winpmem/winpmem_2.0.1.exe
    line in the script, change it to the file you want to run. For example,
    //+New-collectorD2/New-collectorD2.bat
  4. In the
    var exename = 'winpmem_2.0.1.exe';
    line write the file you want to execute.
  5. In the
    var dumpFile
    add the file you want to run.
    //+New-collectorD2/New-collectorD2.bat try { if (env.OS !== 'windows') { throw ('script can only run on Windows'); } var arch = wmi_query('select OSArchitecture from win32_operatingsystem')[0].OSArchitecture; var exename = 'Testd2.bat'; var dumpFile = env.TEMP+ '\\New-collectorD2.bat'; var output = execute('cmd /c dir /s ' + env.TEMP , 30); // 10 minutes timeout pack(output); if (output.Success) { pack_file(dumpFile); del(dumpFile); } else { throw output.Error; } } catch (ex) { pack('Winpmem failed: ' + ex); }
  6. Click
    Save
    .

Recommended For You