Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Dumbo User Guide
1.0 (U) Introduction
(S) Dumbo runs on a target to which we have physical access, mutes all microphones, disables
all network adapters, suspends any processes using a camera recording device, and notifies the
operator of any files to which those processes were actively writing so that they may be
selectively corrupted or deleted.
1.1 (U) Requirement
(S) The Intelligence Community has identified the need (requirement 2015-OPS0001013) for a
capability to suspend processes utilizing webcams and corrupt any video recordings that could
compromise a PAG deployment.
1.2 (U) Purpose
(U) This User Guide describes how to use Dumbo v3.0.
2.0 (U) System Overview
(U) The tool is meant to be executed on a target machine directly from a USB thumb drive. The
application requires being run as SYSTEM. Dumbo will log all actions taken either
automatically, or manually by the operator, in a file called “log.txt” located in the same folder as
the tool’s execution. Dumbo will also log all processes running at the start of its execution in a
file called “proclist.txt” located in the same folder as the tool’s execution.
GUI.exe: Main executable for Dumbo v3.0. Requires being run as SYSTEM. If run as
Administrator, the tool will attempt to restart itself as SYSTEM. This file can be
renamed as desired.
GUI.exe Command-Line Options:
• -n : do not automatically disable network or Bluetooth adapters
scanner.sys: Driver necessary for tool to run correctly on 32 bit Windows XP. Driver
will automatically be installed and removed, if necessary. Driver must be named
“scanner.sys” and be located in the same folder as the main executable. The driver is not
needed, and will not be installed, on any operating system other than 32 bit Windows XP.
wscupd.exe: Executable used to create a blue screen on 32 bit operating systems. This
file must be named “wscupd.exe” and be in the same folder as the main executable.
wermgr.exe: Executable used to create a blue screen on 64 bit operating systems. This
file must be named “wermgr.exe” and be in the same folder as the main executable.
SECRET//NOFORN
1
Dumbo-v3_0-User_Guide.pdf