Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\Umbrella_RC] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Umbrella_RC] 'ImagePath' = '"%ProgramFiles%\OpenDNS\Umbrella Roaming Client\ERCService.exe"'
- %TEMP%\7zS1.tmp\CiscoUmbrellaRoamingClient.msi
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\libdcplugin_erc.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\libldns-1.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\log4net.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\networklist.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\Newtonsoft.Json.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\UmbrellaDiagnostic.exe
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\UmbrellaDiagnostic.exe.config
- %WINDIR%\Installer\MSI19.tmp
- %WINDIR%\Installer\MSI19.tmp-\InstallerCustomActions.dll
- %WINDIR%\Installer\MSI19.tmp-\Core.dll
- %WINDIR%\Installer\MSI19.tmp-\Microsoft.Deployment.WindowsInstaller.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\hermes_ca_cert_2016.pem
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\ipblocking.dll
- %WINDIR%\Installer\MSI19.tmp-\Newtonsoft.Json.dll
- %WINDIR%\Installer\MSI19.tmp-\CustomAction.config
- %ALLUSERSPROFILE%\Application Data\OpenDNS\ERC\OrgInfo.json
- %WINDIR%\Installer\MSI1A.tmp
- %WINDIR%\Installer\MSI1C.tmp
- %WINDIR%\Installer\MSI1E.tmp
- %WINDIR%\Installer\MSI20.tmp
- %ALLUSERSPROFILE%\Application Data\OpenDNS\ERC\OpenDNS_ERC_Service.log
- %ALLUSERSPROFILE%\Application Data\OpenDNS\ERC\PersistedNicDefaults.json
- %WINDIR%\Installer\20569.msi
- %WINDIR%\Installer\{47904E32-6950-4AF8-8F86-7DEA7F51EB56}\OpenDNSIconICO
- C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
- %WINDIR%\Installer\MSI19.tmp-\NETWORKLIST.dll
- %WINDIR%\Installer\MSI19.tmp-\log4net.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\hermes_ca_cert_2015.pem
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\hermes_ca_cert.pem
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\GetNetStats.bat
- %WINDIR%\Installer\20565.msi
- %TEMP%\Cab2.tmp
- %TEMP%\Cab4.tmp
- %TEMP%\Cab6.tmp
- %WINDIR%\Installer\20567.ipi
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\Installer\MSI9.tmp
- %WINDIR%\Installer\MSIA.tmp
- %WINDIR%\Installer\MSIA.tmp-\InstallerCustomActions.dll
- %WINDIR%\Installer\MSIA.tmp-\Core.dll
- %WINDIR%\Installer\MSIA.tmp-\Microsoft.Deployment.WindowsInstaller.dll
- %WINDIR%\Installer\MSIA.tmp-\Newtonsoft.Json.dll
- %TEMP%\7zS1.tmp\TestDeploy.bat
- %WINDIR%\Installer\MSIA.tmp-\NETWORKLIST.dll
- %WINDIR%\Installer\MSIA.tmp-\CustomAction.config
- %WINDIR%\Installer\MSIB.tmp
- %WINDIR%\Installer\MSIF.tmp
- C:\Config.Msi\20568.rbs
- %TEMP%\Cab11.tmp
- %TEMP%\Cab13.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab17.tmp
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\Core.dll
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\dnscrypt-proxy.exe
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\ERCService.exe
- %ProgramFiles%\OpenDNS\Umbrella Roaming Client\ERCService.exe.config
- %WINDIR%\Installer\MSIA.tmp-\log4net.dll
- %ALLUSERSPROFILE%\Application Data\OpenDNS\ERC\Config.json
- %ALLUSERSPROFILE%\Application Data\OpenDNS\ERC\RoamingProfile.json
- %TEMP%\Cab2.tmp
- %WINDIR%\Installer\MSI19.tmp-\log4net.dll
- %WINDIR%\Installer\MSI19.tmp-\Microsoft.Deployment.WindowsInstaller.dll
- %WINDIR%\Installer\MSI19.tmp-\NETWORKLIST.dll
- %WINDIR%\Installer\MSI19.tmp-\Newtonsoft.Json.dll
- %WINDIR%\Installer\MSI19.tmp
- %WINDIR%\Installer\MSI19.tmp-\CustomAction.config
- %WINDIR%\Installer\MSI19.tmp-\InstallerCustomActions.dll
- %WINDIR%\Installer\MSI1A.tmp
- %WINDIR%\Installer\MSI20.tmp
- %WINDIR%\Installer\MSI8.tmp
- C:\Config.Msi\20568.rbs
- %WINDIR%\Installer\20565.msi
- %WINDIR%\Installer\20567.ipi
- %WINDIR%\Installer\MSI1C.tmp
- %WINDIR%\Installer\MSI1E.tmp
- %WINDIR%\Installer\MSI19.tmp-\Core.dll
- %TEMP%\Cab17.tmp
- %TEMP%\Cab15.tmp
- %TEMP%\Cab6.tmp
- %WINDIR%\Installer\MSI9.tmp
- %WINDIR%\Installer\MSIA.tmp-\Core.dll
- %WINDIR%\Installer\MSIA.tmp-\CustomAction.config
- %WINDIR%\Installer\MSIA.tmp-\InstallerCustomActions.dll
- %WINDIR%\Installer\MSIA.tmp-\log4net.dll
- %TEMP%\Cab4.tmp
- %WINDIR%\Installer\MSIA.tmp-\Microsoft.Deployment.WindowsInstaller.dll
- %WINDIR%\Installer\MSIA.tmp-\Newtonsoft.Json.dll
- %WINDIR%\Installer\MSIA.tmp
- %WINDIR%\Installer\MSIB.tmp
- %WINDIR%\Installer\MSIF.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\Cab13.tmp
- %WINDIR%\Installer\MSIA.tmp-\NETWORKLIST.dll
- %TEMP%\7zS1.tmp\CiscoUmbrellaRoamingClient.msi
- %TEMP%\7zS1.tmp\TestDeploy.bat
- 'wp#d':80
- 'cr#.##modoca.com':80
- 'download.windowsupdate.com':80
- 'ap#.#pendns.com':443
- http://11#.#11.111.1/wpad.dat via wp#d
- http://cr#.##modoca.com/COMODORSAAddTrustCA.crt
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt via download.windowsupdate.com
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab via download.windowsupdate.com
- http://cr#.##modoca.com/COMODORSACodeSigningCA.crt
- DNS ASK wp#d
- DNS ASK cr#.##modoca.com
- DNS ASK ap#.#pendns.com
- '%ProgramFiles%\OpenDNS\Umbrella Roaming Client\ERCService.exe'
- '<SYSTEM32>\cmd.exe' /c .\TestDeploy.bat
- '<SYSTEM32>\msiexec.exe' /i "%TEMP%\7zS1.tmp\CiscoUmbrellaRoamingClient.msi" /qn ORG_ID=2447352 ORG_FINGERPRINT=bb7a308c7e3798c51c21710ef7eb7b9c USER_ID=9952022 HIDE_UI=1 HIDE_ARP=1
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe' -Embedding 22C02E8186C1C1C4515127B71CBBA8B6
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\Installer\MSIA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_143453 8 InstallerCustomActions!InstallerCustomActions.CustomActions.ReadOrgInfo
- '<SYSTEM32>\msiexec.exe' -Embedding 7D54C0A57191AD2024A0F31869B43819 M Global\MSI0000
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\Installer\MSI19.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_153234 56 InstallerCustomActions!InstallerCustomActions.CustomActions.CreateOrgInfo
- '<SYSTEM32>\ipconfig.exe' /flushdns