GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-13 14:16:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000027 HGST_HTS545050A7E380 rev.GG2OAH20 465,76GB Running: 4lys3tv3.exe; Driver: C:\Users\edward\AppData\Local\Temp\pwddapoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe2ccd169a 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe2ccd16a2 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe2ccd181a 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[1356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe2ccd1832 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\system32\mfevtps.exe[1616] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffe2ccd169a 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\system32\mfevtps.exe[1616] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffe2ccd16a2 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\system32\mfevtps.exe[1616] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffe2ccd181a 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\system32\mfevtps.exe[1616] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffe2ccd1832 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe2ccd169a 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe2ccd16a2 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe2ccd181a 4 bytes [CD, 2C, FE, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe2ccd1832 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe[2744] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 506 00007ffe2ccd169a 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe[2744] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 514 00007ffe2ccd16a2 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe[2744] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 118 00007ffe2ccd181a 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17031_none_fa50b3979b1bcb4a\TiWorker.exe[2744] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 142 00007ffe2ccd1832 4 bytes [CD, 2C, FE, 7F] .text C:\Windows\Explorer.EXE[180] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe2c79fd34 5 bytes JMP 00007ffe2c760fd3 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffe2f3eac70 8 bytes JMP 00007ffe2f1c1090 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe2f3eac80 8 bytes JMP 00007ffe2f1c0870 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile 00007ffe2f3eac90 8 bytes JMP 00007ffe2f1c1770 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00007ffe2f3eaca0 1 byte JMP 00007ffe2f1c0230 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 2 00007ffe2f3eaca2 6 bytes {JMP 0xffffffffffdd5590} .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00007ffe2f3eacb0 8 bytes JMP 00007ffe2f1c0a50 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey 00007ffe2f3eace0 8 bytes JMP 00007ffe2f1c07d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 00007ffe2f3eacf0 8 bytes JMP 00007ffe2f1c09b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 00007ffe2f3ead50 8 bytes JMP 00007ffe2f1c05f0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffe2f3eadf0 8 bytes JMP 00007ffe2f1c14f0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00007ffe2f3eaea0 1 byte JMP 00007ffe2f1c0730 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 2 00007ffe2f3eaea2 6 bytes {JMP 0xffffffffffdd5890} .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe2f3eaeb0 8 bytes JMP 00007ffe2f1c11d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 00007ffe2f3eaed0 8 bytes JMP 00007ffe2f1c1450 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe2f3eaf40 8 bytes JMP 00007ffe2f1c0ff0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe2f3eaf50 8 bytes JMP 00007ffe2f1c1310 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe2f3eb0d0 8 bytes JMP 00007ffe2f1c1130 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffe2f3eb180 8 bytes JMP 00007ffe2f1c0af0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted 00007ffe2f3eb5a0 8 bytes JMP 00007ffe2f1c0690 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 00007ffe2f3eb7a0 8 bytes JMP 00007ffe2f1c1270 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 00007ffe2f3eb7b0 8 bytes JMP 00007ffe2f1c04b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00007ffe2f3eb7e0 8 bytes JMP 00007ffe2f1c0b90 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey 00007ffe2f3eb900 8 bytes JMP 00007ffe2f1c0550 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe2f3ebb90 8 bytes JMP 00007ffe2f1c0d70 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe2f3ebba0 8 bytes JMP 00007ffe2f1c0e10 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 00007ffe2f3ebc00 8 bytes JMP 00007ffe2f1c02d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted 00007ffe2f3ebc10 8 bytes JMP 00007ffe2f1c0370 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx 00007ffe2f3ebc20 8 bytes JMP 00007ffe2f1c0410 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe2f3ebe10 8 bytes JMP 00007ffe2f1c13b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00007ffe2f3ebee0 8 bytes JMP 00007ffe2f1c0cd0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject 00007ffe2f3ebf50 8 bytes JMP 00007ffe2f1c0eb0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey 00007ffe2f3ec0b0 8 bytes JMP 00007ffe2f1c0c30 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey 00007ffe2f3ec2e0 8 bytes JMP 00007ffe2f1c0910 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject 00007ffe2f3ec3c0 1 byte JMP 00007ffe2f1c0f50 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 2 00007ffe2f3ec3c2 6 bytes {JMP 0xffffffffffdd4b90} .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNEL32.DLL!CreateProcessW 00007ffe2e5c765c 7 bytes JMP 00007ffe2f1c2530 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNEL32.DLL!CreateProcessA 00007ffe2e5c8a80 7 bytes JMP 00007ffe2f1c25d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffe2e5c8b90 7 bytes JMP 00007ffe2f1c27b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNEL32.DLL!CreateActCtxA 00007ffe2e676b74 7 bytes JMP 00007ffe2f1c1630 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNEL32.DLL!WinExec 00007ffe2e69c040 5 bytes JMP 00007ffe2f1c2670 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 00007ffe2c791fc0 7 bytes JMP 00007ffe2f1c18b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameA 00007ffe2c792080 5 bytes JMP 00007ffe2f1c1810 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryW 00007ffe2c7a2ab0 6 bytes JMP 00007ffe2f1c19f0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNELBASE.dll!CreateActCtxW 00007ffe2c7ac2c8 6 bytes JMP 00007ffe2f1c16d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryA 00007ffe2c7ef64c 5 bytes JMP 00007ffe2f1c1950 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffe2e327c44 7 bytes JMP 00007ffe2f1c2850 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 00007ffe2e32edd0 7 bytes JMP 00007ffe2f1c2710 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ole32.dll!OleUninitialize 00007ffe2eebf50c 13 bytes JMP 00007ffe2f1c2170 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ole32.dll!OleRun 00007ffe2eebfabc 5 bytes JMP 00007ffe2f1c22b0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ole32.dll!OleInitialize + 8 00007ffe2eecfca8 5 bytes JMP 00007ffe2f1c20d0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ole32.dll!OleLoadFromStream 00007ffe2ef22db4 5 bytes JMP 00007ffdef1d0238 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\ole32.dll!OleRegEnumFormatEtc 00007ffe2ef8e7e0 5 bytes JMP 00007ffe2f1c2210 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!SysFreeString 00007ffe2ebf13e0 5 bytes JMP 00007ffdef1d02f8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!VariantClear 00007ffe2ebf1740 5 bytes JMP 00007ffdef1d03b8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 00007ffe2ebf1e8c 10 bytes JMP 00007ffdef1d0358 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 00007ffe2ebf1eb0 5 bytes JMP 00007ffdef1d0298 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!GetActiveObject 00007ffe2ec03894 5 bytes JMP 00007ffe2f1c2490 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!RegisterActiveObject 00007ffe2ec57b88 5 bytes JMP 00007ffe2f1c2350 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\OLEAUT32.dll!RevokeActiveObject 00007ffe2ec57be8 5 bytes JMP 00007ffe2f1c23f0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\USER32.dll!BeginPaint 00007ffe2f1d1050 8 bytes JMP 00007ffdef1d0178 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\USER32.dll!ValidateRect 00007ffe2f1d1330 8 bytes JMP 00007ffdef1d01d8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\system32\SHELL32.dll!SHParseDisplayName 00007ffe2cd77260 5 bytes JMP 00007ffdef1d0418 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffe2e97f9a0 7 bytes JMP 00007ffe2f1c1bd0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoUninitialize 00007ffe2e98959c 5 bytes JMP 00007ffe2f1c1b30 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoInitializeEx 00007ffe2e989b70 5 bytes JMP 00007ffe2f1c1a90 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffe2e98cbe0 1 byte JMP 00007ffe2f1c1c70 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance + 2 00007ffe2e98cbe2 5 bytes {JMP 0x835090} .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoGetClassObject 00007ffe2e991148 7 bytes JMP 00007ffe2f1c1e50 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoRegisterClassObject 00007ffe2e9c41e4 5 bytes JMP 00007ffe2f1c1d10 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects 00007ffe2e9c884c 7 bytes JMP 00007ffe2f1c1f90 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoRevokeClassObject 00007ffe2e9eaea0 5 bytes JMP 00007ffe2f1c1db0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoSuspendClassObjects 00007ffe2ea39730 6 bytes JMP 00007ffe2f1c2030 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile 00007ffe2ea93060 1 byte JMP 00007ffe2f1c1ef0 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[5920] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile + 2 00007ffe2ea93062 5 bytes {JMP 0x72ee90} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffe2f3eac70 8 bytes JMP 00007ffe2f1c1090 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe2f3eac80 8 bytes JMP 00007ffe2f1c0870 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationFile 00007ffe2f3eac90 8 bytes JMP 00007ffe2f1c1770 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 00007ffe2f3eaca0 1 byte JMP 00007ffe2f1c0230 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 2 00007ffe2f3eaca2 6 bytes {JMP 0xffffffffffdd5590} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateValueKey 00007ffe2f3eacb0 8 bytes JMP 00007ffe2f1c0a50 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryKey 00007ffe2f3eace0 8 bytes JMP 00007ffe2f1c07d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 00007ffe2f3eacf0 8 bytes JMP 00007ffe2f1c09b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 00007ffe2f3ead50 8 bytes JMP 00007ffe2f1c05f0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffe2f3eadf0 8 bytes JMP 00007ffe2f1c14f0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey 00007ffe2f3eaea0 1 byte JMP 00007ffe2f1c0730 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtEnumerateKey + 2 00007ffe2f3eaea2 6 bytes {JMP 0xffffffffffdd5890} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe2f3eaeb0 8 bytes JMP 00007ffe2f1c11d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryDirectoryFile 00007ffe2f3eaed0 8 bytes JMP 00007ffe2f1c1450 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe2f3eaf40 8 bytes JMP 00007ffe2f1c0ff0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe2f3eaf50 8 bytes JMP 00007ffe2f1c1310 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe2f3eb0d0 8 bytes JMP 00007ffe2f1c1130 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffe2f3eb180 8 bytes JMP 00007ffe2f1c0af0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyTransacted 00007ffe2f3eb5a0 8 bytes JMP 00007ffe2f1c0690 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 00007ffe2f3eb7a0 8 bytes JMP 00007ffe2f1c1270 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteKey 00007ffe2f3eb7b0 8 bytes JMP 00007ffe2f1c04b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 00007ffe2f3eb7e0 8 bytes JMP 00007ffe2f1c0b90 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtFlushKey 00007ffe2f3eb900 8 bytes JMP 00007ffe2f1c0550 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe2f3ebb90 8 bytes JMP 00007ffe2f1c0d70 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe2f3ebba0 8 bytes JMP 00007ffe2f1c0e10 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 00007ffe2f3ebc00 8 bytes JMP 00007ffe2f1c02d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransacted 00007ffe2f3ebc10 8 bytes JMP 00007ffe2f1c0370 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyTransactedEx 00007ffe2f3ebc20 8 bytes JMP 00007ffe2f1c0410 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe2f3ebe10 8 bytes JMP 00007ffe2f1c13b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryMultipleValueKey 00007ffe2f3ebee0 8 bytes JMP 00007ffe2f1c0cd0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQuerySecurityObject 00007ffe2f3ebf50 8 bytes JMP 00007ffe2f1c0eb0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtRenameKey 00007ffe2f3ec0b0 8 bytes JMP 00007ffe2f1c0c30 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationKey 00007ffe2f3ec2e0 8 bytes JMP 00007ffe2f1c0910 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject 00007ffe2f3ec3c0 1 byte JMP 00007ffe2f1c0f50 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSecurityObject + 2 00007ffe2f3ec3c2 6 bytes {JMP 0xffffffffffdd4b90} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNEL32.DLL!CreateProcessW 00007ffe2e5c765c 7 bytes JMP 00007ffe2f1c2530 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNEL32.DLL!CreateProcessA 00007ffe2e5c8a80 7 bytes JMP 00007ffe2f1c25d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffe2e5c8b90 7 bytes JMP 00007ffe2f1c27b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNEL32.DLL!CreateActCtxA 00007ffe2e676b74 7 bytes JMP 00007ffe2f1c1630 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNEL32.DLL!WinExec 00007ffe2e69c040 5 bytes JMP 00007ffe2f1c2670 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 00007ffe2c791fc0 7 bytes JMP 00007ffe2f1c18b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameA 00007ffe2c792080 5 bytes JMP 00007ffe2f1c1810 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryW 00007ffe2c7a2ab0 6 bytes JMP 00007ffe2f1c19f0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNELBASE.dll!CreateActCtxW 00007ffe2c7ac2c8 6 bytes JMP 00007ffe2f1c16d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryA 00007ffe2c7ef64c 5 bytes JMP 00007ffe2f1c1950 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffe2e327c44 7 bytes JMP 00007ffe2f1c2850 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 00007ffe2e32edd0 7 bytes JMP 00007ffe2f1c2710 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ole32.dll!OleUninitialize 00007ffe2eebf50c 13 bytes JMP 00007ffe2f1c2170 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ole32.dll!OleRun 00007ffe2eebfabc 5 bytes JMP 00007ffe2f1c22b0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ole32.dll!OleInitialize + 8 00007ffe2eecfca8 5 bytes JMP 00007ffe2f1c20d0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ole32.dll!OleLoadFromStream 00007ffe2ef22db4 5 bytes JMP 00007ffdef1d0238 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\ole32.dll!OleRegEnumFormatEtc 00007ffe2ef8e7e0 5 bytes JMP 00007ffe2f1c2210 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\USER32.dll!BeginPaint 00007ffe2f1d1050 8 bytes JMP 00007ffdef1d0178 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\USER32.dll!ValidateRect 00007ffe2f1d1330 8 bytes JMP 00007ffdef1d01d8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\SHELL32.dll!SHParseDisplayName 00007ffe2cd77260 5 bytes JMP 00007ffdef1d0418 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffe2e97f9a0 7 bytes JMP 00007ffe2f1c1bd0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoUninitialize 00007ffe2e98959c 5 bytes JMP 00007ffe2f1c1b30 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoInitializeEx 00007ffe2e989b70 5 bytes JMP 00007ffe2f1c1a90 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffe2e98cbe0 1 byte JMP 00007ffe2f1c1c70 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance + 2 00007ffe2e98cbe2 5 bytes {JMP 0x835090} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoGetClassObject 00007ffe2e991148 7 bytes JMP 00007ffe2f1c1e50 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoRegisterClassObject 00007ffe2e9c41e4 5 bytes JMP 00007ffe2f1c1d10 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects 00007ffe2e9c884c 7 bytes JMP 00007ffe2f1c1f90 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoRevokeClassObject 00007ffe2e9eaea0 5 bytes JMP 00007ffe2f1c1db0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoSuspendClassObjects 00007ffe2ea39730 6 bytes JMP 00007ffe2f1c2030 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile 00007ffe2ea93060 1 byte JMP 00007ffe2f1c1ef0 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile + 2 00007ffe2ea93062 5 bytes {JMP 0x72ee90} .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!SysFreeString 00007ffe2ebf13e0 5 bytes JMP 00007ffdef1d02f8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!VariantClear 00007ffe2ebf1740 5 bytes JMP 00007ffdef1d03b8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 00007ffe2ebf1e8c 10 bytes JMP 00007ffdef1d0358 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 00007ffe2ebf1eb0 5 bytes JMP 00007ffdef1d0298 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!GetActiveObject 00007ffe2ec03894 5 bytes JMP 00007ffe2f1c2490 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!RegisterActiveObject 00007ffe2ec57b88 5 bytes JMP 00007ffe2f1c2350 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[1296] C:\Windows\system32\OLEAUT32.dll!RevokeActiveObject 00007ffe2ec57be8 5 bytes JMP 00007ffe2f1c23f0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [604:632] fffff9600081ab90 ---- Processes - GMER 2.2 ---- Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe0b860000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe0b000000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe0ac90000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe0a4b0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe09140000 Library C:\Program Files\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [5920] 00007ffe036b0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe0bda0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe0b860000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe0b000000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe0ac90000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe0a4b0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe09140000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe018d0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe01750000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe03860000 Library C:\Program Files\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe036b0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe03250000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe03780000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe03170000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe1d2f0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [1296] 00007ffe17790000 ---- Services - GMER 2.2 ---- Service C:\Users\edward\AppData\Local\0152F095-1471056396-E411-85C7-F0761C8993C3\qnsbE921.tmp (*** hidden *** ) [AUTO] zigipyro <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1018321463 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\40e230761950 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4cbb5874d99a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4cbb5877a7fc ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\SoftwareDistribution\Download\07faae70261a77939132d7dc3bff8942\03c4dba16a2c5901ab59db93f7b4bcd5d620f7faEXT.dat 5152 bytes File C:\Windows\SoftwareDistribution\Download\07faae70261a77939132d7dc3bff8942\03c4dba16a2c5901ab59db93f7b4bcd5d620f7fa_1 73632 bytes File C:\Windows\SoftwareDistribution\Download\07faae70261a77939132d7dc3bff8942\Abm_97F2A9D4E907755FAACF7D7FC5EF4BF6E8A2674D.cab 20139 bytes ---- EOF - GMER 2.2 ----