Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
2.4 Footprint
Before a reboot AM runs in the process it was loaded by – either RunDLL or through
some other tool. The self-deletion in this case is incomplete and won’t be finished
until the next reboot.
After the first reboot, the non-networking component of AM runs as a DLL inside of
the netsvcs svchost.exe process running as SYSTEM. The service is only loaded long
enough to load Midnight Core before it stops. In this way there is nothing, no
running service entry or loaded DLL, to show that AM is actually running.
18
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh