<?xml version="1.0"?>
<!-- This analysis was created by CWSandbox (c) CWSE GmbH / Sunbelt Software--> 
<analysis cwsversion="2.1.12" time="30.07.2009 08:29:08" file="c:\PostalGusanito.exe" md5="30ccf558ea5d08e830942f9cb4a03e26" sha1="54e4a1b6b5b145fa0b659b1c583aa732c2442458" logpath="c:\cwsandbox\log\PostalGusanito.exe\run_1\" analysisid="617481" sampleid="408136">
<calltree>
<process_call index="1" pid="2612" filename="c:\PostalGusanito.exe" starttime="00:01.094" startreason="AnalysisTarget">
<calltree>
<process_call index="3" pid="2772" filename="c:\PostalGusanito.exe" starttime="00:10.297" startreason="CreateProcess">
<calltree>
<process_call index="4" pid="1704" filename="C:\WINDOWS\Explorer.EXE" starttime="00:25.922" startreason="InjectedCode"/>
</calltree>
</process_call>
</calltree>
</process_call>
<process_call index="2" pid="980" filename="C:\WINDOWS\system32\svchost.exe" starttime="00:03.375" startreason="DCOMService"/>
<process_call index="5" pid="792" filename="C:\WINDOWS\system32\services.exe" starttime="00:38.047" startreason="SCM"/>
</calltree>
<processes>
<process index="1" pid="2612" filename="c:\PostalGusanito.exe" filesize="239424" md5="30ccf558ea5d08e830942f9cb4a03e26" sha1="54e4a1b6b5b145fa0b659b1c583aa732c2442458" username="Administrator" parentindex="0" starttime="00:01.094" terminationtime="00:10.703" startreason="AnalysisTarget" terminationreason="NormalTermination" executionstatus="OK" applicationtype="Win32Application">
<com_section>
<com_create_instance inprocserver32="C:\WINDOWS\system32\msvbvm60.dll" clsid="&#x7B;D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731&#x7D;" interfaceid="&#x7B;00000000-0000-0000-C000-000000000046&#x7D;"/>
<com_create_instance inprocserver32="C:\WINDOWS\system32\msvbvm60.dll" clsid="&#x7B;D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731&#x7D;" interfaceid="&#x7B;4495AD01-C993-11D1-A3E4-00A0C90AEA82&#x7D;"/>
<com_create_instance inprocserver32="C:\WINDOWS\system32\msvbvm60.dll" clsid="&#x7B;D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731&#x7D;" interfaceid="&#x7B;7FD52380-4E07-101B-AE2D-08002B2EC713&#x7D;"/>
<com_create_instance inprocserver32="C:\WINDOWS\system32\msvbvm60.dll" clsid="&#x7B;D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731&#x7D;" interfaceid="&#x7B;37D84F60-42CB-11CE-8135-00AA004BB851&#x7D;"/>
</com_section>
<dll_handling_section>
<load_image filename="c:\PostalGusanito.exe" successful="1" address="&#x24;400000" end_address="&#x24;43A740" size="239424"/>
<load_dll filename="C:\WINDOWS\system32\ntdll.dll" successful="1" address="&#x24;7C910000" end_address="&#x24;7C9C9000" size="757760" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\kernel32.dll" successful="1" address="&#x24;7C800000" end_address="&#x24;7C908000" size="1081344" quantity="5"/>
<load_dll filename="C:\WINDOWS\system32\MSVBVM60.DLL" successful="1" address="&#x24;73390000" end_address="&#x24;734E3000" size="1388544"/>
<load_dll filename="C:\WINDOWS\system32\USER32.dll" successful="1" address="&#x24;7E360000" end_address="&#x24;7E3F1000" size="593920"/>
<load_dll filename="C:\WINDOWS\system32\GDI32.dll" successful="1" address="&#x24;77EF0000" end_address="&#x24;77F39000" size="299008"/>
<load_dll filename="C:\WINDOWS\system32\ADVAPI32.dll" successful="1" address="&#x24;77DA0000" end_address="&#x24;77E4A000" size="696320"/>
<load_dll filename="C:\WINDOWS\system32\RPCRT4.dll" successful="1" address="&#x24;77E50000" end_address="&#x24;77EE2000" size="598016"/>
<load_dll filename="C:\WINDOWS\system32\Secur32.dll" successful="1" address="&#x24;77FC0000" end_address="&#x24;77FD1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\ole32.dll" successful="1" address="&#x24;774B0000" end_address="&#x24;775ED000" size="1298432" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\msvcrt.dll" successful="1" address="&#x24;77BE0000" end_address="&#x24;77C38000" size="360448"/>
<load_dll filename="C:\WINDOWS\system32\OLEAUT32.dll" successful="1" address="&#x24;770F0000" end_address="&#x24;7717B000" size="569344" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\IMM32.DLL" successful="1" address="&#x24;76330000" end_address="&#x24;7634D000" size="118784"/>
<load_dll filename="C:\WINDOWS\system32\pstorec.dll" successful="1" address="&#x24;5E490000" end_address="&#x24;5E49D000" size="53248"/>
<load_dll filename="C:\WINDOWS\system32\ATL.DLL" successful="1" address="&#x24;76AD0000" end_address="&#x24;76AE1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\VB6DE.DLL" successful="0"/>
<load_dll filename="C:\WINDOWS\system32\VB6ES.DLL" successful="0"/>
<load_dll filename="C:\WINDOWS\system32\uxtheme.dll" successful="1" address="&#x24;5B0F0000" end_address="&#x24;5B128000" size="229376"/>
<load_dll filename="C:\WINDOWS\system32\SXS.DLL" successful="1" address="&#x24;76970000" end_address="&#x24;76A21000" size="724992"/>
<load_dll filename="C:\WINDOWS\system32\version.dll" successful="1" address="&#x24;77BD0000" end_address="&#x24;77BD8000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\msctfime.ime" successful="1" address="&#x24;10D0001" end_address="&#x24;10D0001" size="0" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\msctfime.ime" successful="1" address="&#x24;75250000" end_address="&#x24;7527E000" size="188416" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\MSCTF.dll" successful="1" address="&#x24;746A0000" end_address="&#x24;746EC000" size="311296"/>
</dll_handling_section>
<filesystem_section>
<get_file_attributes filetype="file" srcfile="C:\WINDOWS\Registration" desiredaccess="FILE_ANY_ACCESS" flags="SECURITY_ANONYMOUS"/>
<open_file filetype="file" srcfile="C:\WINDOWS\Registration\R000000000007.clb" creationdistribution="OPEN_EXISTING" desiredaccess="FILE_ANY_ACCESS" shareaccess="FILE_SHARE_READ" flags="SECURITY_ANONYMOUS"/>
<get_file_attributes filetype="file" srcfile="C:\WINDOWS\system32\.HLP" desiredaccess="FILE_ANY_ACCESS" flags="SECURITY_ANONYMOUS" quantity="2"/>
<get_file_attributes filetype="file" srcfile="C:\WINDOWS\Help\.HLP" desiredaccess="FILE_ANY_ACCESS" flags="SECURITY_ANONYMOUS" quantity="2"/>
</filesystem_section>
<ini_file_section>
<read_value file="WINHELP.INI" section="FILES" value=".HLP" quantity="2"/>
</ini_file_section>
<mutex_section>
<create_mutex name="CTF.LBES.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500" owned="0"/>
<create_mutex name="CTF.Compart.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500" owned="0"/>
<create_mutex name="CTF.Asm.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500" owned="0"/>
<create_mutex name="CTF.Layouts.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500" owned="0"/>
<create_mutex name="CTF.TMD.MutexDefaultS-1-5-21-583907252-1708537768-842925246-500" owned="0"/>
<create_mutex name="CTF.TimListCache.FMPDefaultS-1-5-21-583907252-1708537768-842925246-500MUTEX.DefaultS-1-5-21-583907252" owned="0"/>
</mutex_section>
<registry_section>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PostalGusanito.exe"/>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared" value="CUAS" quantity="2"/>
<open_key key="HKEY_CURRENT_USER\Keyboard Layout\Toggle"/>
<query_value key="HKEY_CURRENT_USER\Keyboard Layout\Toggle" value="Language Hotkey"/>
<query_value key="HKEY_CURRENT_USER\Keyboard Layout\Toggle" value="Layout Hotkey"/>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF" value="EnableAnchorContext"/>
<open_key key="HKEY_LOCAL_MACHINE\System\Setup"/>
<open_key key="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM" value="Ime File"/>
<open_key key="HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF"/>
<query_value key="HKEY_CURRENT_USER\Software\Microsoft\CTF" value="Disable Thread Input Manager"/>
<open_key key="HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared"/>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors" quantity="2"/>
<open_key key="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows" quantity="2"/>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\HTML Help"/>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help"/>
</registry_section>
<process_section>
<create_process commandline="c:\PostalGusanito.exe" targetpid="2772" creationflags="CREATE_SUSPENDED" showwindow="SW_HIDE" apifunction="CreateProcessW" successful="1"/>
<kill_process targetpid="2612" apifunction="NtTerminateProcess"/>
</process_section>
<system_section>
<sleep milliseconds="0"/>
</system_section>
<system_info_section>
<check_for_debugger apifunction="IsDebuggerPresent"/>
<get_system_directory quantity="11"/>
<get_windows_directory/>
</system_info_section>
<thread_section>
<set_thread_context targetpid="2772" threadid="2776" address="&#x24;7C810705"/>
</thread_section>
<virtual_memory_section>
<vm_allocate targetpid="2772" wantedaddress="&#x24;00400000" address="&#x24;00400000" wantedsize="118784" size="118784" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT MEM_RESERVE"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00400000" address="&#x24;00400000" wantedsize="1024" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;0"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00400000" address="&#x24;00400000" wantedsize="4096" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;0"/>
<vm_write targetpid="2772" address="&#x24;00400000" size="1024" behavior="Normal"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00401000" address="&#x24;00401000" wantedsize="90112" size="90112" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;1000" quantity="2"/>
<vm_write targetpid="2772" address="&#x24;00401000" size="90112" behavior="Normal"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00417000" address="&#x24;00417000" wantedsize="7168" size="8192" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;17000"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00417000" address="&#x24;00417000" wantedsize="8192" size="8192" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;17000"/>
<vm_write targetpid="2772" address="&#x24;00417000" size="7168" behavior="Normal"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00419000" address="&#x24;00419000" wantedsize="9728" size="12288" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;19000"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;00419000" address="&#x24;00419000" wantedsize="12288" size="12288" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="c:\postalgusanito.exe.&#x24;19000"/>
<vm_write targetpid="2772" address="&#x24;00419000" size="9728" behavior="Normal"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7FFDF008" address="&#x24;7FFDF000" wantedsize="4" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7FFDF000" address="&#x24;7FFDF000" wantedsize="4096" size="4096" protect="PAGE_READWRITE" behavior="Normal" target="PEB"/>
<vm_write targetpid="2772" address="&#x24;7FFDF008" size="4" behavior="Normal"/>
</virtual_memory_section>
<window_section>
<create_window hwnd="&#x24;0003013C" classname="OleMainThreadWndClass" windowname="OleMainThreadWndName" height="0" width="0" top="0" left="0" style="WS_DISABLED WS_OVERLAPPED WS_POPUP WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR"/>
<create_window hwnd="&#x24;0002013E" classname="IME" windowname="Default IME" height="0" width="0" top="0" left="0" style="WS_DISABLED WS_OVERLAPPED WS_POPUP WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR"/>
<create_window hwnd="&#x24;00020140" classname="ThunderRT6Main" height="0" width="0" top="0" left="0" style="WS_MAXIMIZEBOX WS_OVERLAPPED WS_POPUP WS_SYSMENU WS_TABSTOP WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR WS_EX_TOOLWINDOW"/>
<show_window hwnd="&#x24;00020140"/>
<create_window hwnd="&#x24;00010186" classname="VBMsoStdCompMgr" height="0" width="0" top="0" left="0" style="WS_OVERLAPPED WS_POPUP WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR"/>
<destroy_window hwnd="&#x24;00020140" classname="ThunderRT6Main" windowname="Stub"/>
<enum_window quantity="15"/>
<destroy_window hwnd="&#x24;00010188"/>
<destroy_window hwnd="&#x24;00010186" classname="VBMsoStdCompMgr"/>
</window_section>
<windows_hook_section>
<set_windows_hook hookid="WH_KEYBOARD" threadid="2616" hook_address="&#x24;746B07C3" hook_module="&#x24;746A0000"/>
<set_windows_hook hookid="WH_MOUSE" threadid="2616" hook_address="&#x24;746B04CD" hook_module="&#x24;746A0000"/>
<set_windows_hook hookid="WH_MSGFILTER" threadid="2616" hook_address="&#x24;733F1C8C" hook_module="&#x24;00000000"/>
</windows_hook_section>
</process>
<process index="2" pid="980" filename="C:\WINDOWS\system32\svchost.exe" filesize="14336" md5="4fbc75b74479c7a6f829e0ca19df3366" sha1="97c7c354c12b89c797740b35ed81879be58f3deb" username="SYSTEM" parentindex="0" starttime="00:03.375" terminationtime="02:01.766" startreason="DCOMService" terminationreason="Timeout" executionstatus="OK">
<dll_handling_section>
<load_image filename="C:\WINDOWS\system32\svchost.exe" successful="1" address="&#x24;1000000" end_address="&#x24;1006000" size="24576"/>
<load_dll filename="C:\WINDOWS\system32\ntdll.dll" successful="1" address="&#x24;7C910000" end_address="&#x24;7C9C9000" size="757760"/>
<load_dll filename="C:\WINDOWS\system32\kernel32.dll" successful="1" address="&#x24;7C800000" end_address="&#x24;7C908000" size="1081344"/>
<load_dll filename="C:\WINDOWS\system32\ADVAPI32.dll" successful="1" address="&#x24;77DA0000" end_address="&#x24;77E4A000" size="696320"/>
<load_dll filename="C:\WINDOWS\system32\RPCRT4.dll" successful="1" address="&#x24;77E50000" end_address="&#x24;77EE2000" size="598016"/>
<load_dll filename="C:\WINDOWS\system32\Secur32.dll" successful="1" address="&#x24;77FC0000" end_address="&#x24;77FD1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\ShimEng.dll" successful="1" address="&#x24;5CF00000" end_address="&#x24;5CF26000" size="155648"/>
<load_dll filename="C:\WINDOWS\AppPatch\AcGenral.DLL" successful="1" address="&#x24;6FD90000" end_address="&#x24;6FF5A000" size="1875968"/>
<load_dll filename="C:\WINDOWS\system32\USER32.dll" successful="1" address="&#x24;7E360000" end_address="&#x24;7E3F1000" size="593920"/>
<load_dll filename="C:\WINDOWS\system32\GDI32.dll" successful="1" address="&#x24;77EF0000" end_address="&#x24;77F39000" size="299008"/>
<load_dll filename="C:\WINDOWS\system32\WINMM.dll" successful="1" address="&#x24;76AF0000" end_address="&#x24;76B1E000" size="188416"/>
<load_dll filename="C:\WINDOWS\system32\ole32.dll" successful="1" address="&#x24;774B0000" end_address="&#x24;775ED000" size="1298432"/>
<load_dll filename="C:\WINDOWS\system32\msvcrt.dll" successful="1" address="&#x24;77BE0000" end_address="&#x24;77C38000" size="360448"/>
<load_dll filename="C:\WINDOWS\system32\OLEAUT32.dll" successful="1" address="&#x24;770F0000" end_address="&#x24;7717B000" size="569344"/>
<load_dll filename="C:\WINDOWS\system32\MSACM32.dll" successful="1" address="&#x24;77BB0000" end_address="&#x24;77BC5000" size="86016"/>
<load_dll filename="C:\WINDOWS\system32\VERSION.dll" successful="1" address="&#x24;77BD0000" end_address="&#x24;77BD8000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\SHELL32.dll" successful="1" address="&#x24;7E670000" end_address="&#x24;7EE91000" size="8523776"/>
<load_dll filename="C:\WINDOWS\system32\SHLWAPI.dll" successful="1" address="&#x24;77F40000" end_address="&#x24;77FB6000" size="483328"/>
<load_dll filename="C:\WINDOWS\system32\USERENV.dll" successful="1" address="&#x24;76620000" end_address="&#x24;766D6000" size="745472"/>
<load_dll filename="C:\WINDOWS\system32\UxTheme.dll" successful="1" address="&#x24;5B0F0000" end_address="&#x24;5B128000" size="229376"/>
<load_dll filename="C:\WINDOWS\system32\IMM32.DLL" successful="1" address="&#x24;76330000" end_address="&#x24;7634D000" size="118784"/>
<load_dll filename="C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\" successful="1" address="&#x24;773A0000" end_address="&#x24;774A3000" size="1060864"/>
<load_dll filename="C:\WINDOWS\system32\comctl32.dll" successful="1" address="&#x24;5D450000" end_address="&#x24;5D4EA000" size="630784"/>
<load_dll filename="C:\WINDOWS\system32\NTMARTA.DLL" successful="1" address="&#x24;77660000" end_address="&#x24;77681000" size="135168"/>
<load_dll filename="C:\WINDOWS\system32\SAMLIB.dll" successful="1" address="&#x24;71B70000" end_address="&#x24;71B83000" size="77824"/>
<load_dll filename="C:\WINDOWS\system32\WLDAP32.dll" successful="1" address="&#x24;76F20000" end_address="&#x24;76F4D000" size="184320"/>
<load_dll filename="c:\windows\system32\rpcss.dll" successful="1" address="&#x24;76A30000" end_address="&#x24;76A94000" size="409600"/>
<load_dll filename="c:\windows\system32\WS2_32.dll" successful="1" address="&#x24;71A10000" end_address="&#x24;71A27000" size="94208"/>
<load_dll filename="c:\windows\system32\WS2HELP.dll" successful="1" address="&#x24;71A00000" end_address="&#x24;71A08000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\xpsp2res.dll" successful="1" address="&#x24;630000" end_address="&#x24;909000" size="2985984"/>
<load_dll filename="C:\WINDOWS\system32\CLBCATQ.DLL" successful="1" address="&#x24;76F90000" end_address="&#x24;7700F000" size="520192"/>
<load_dll filename="C:\WINDOWS\system32\COMRes.dll" successful="1" address="&#x24;77010000" end_address="&#x24;770E3000" size="864256"/>
<load_dll filename="c:\windows\system32\termsrv.dll" successful="1" address="&#x24;761D0000" end_address="&#x24;76224000" size="344064"/>
<load_dll filename="c:\windows\system32\ICAAPI.dll" successful="1" address="&#x24;74EF0000" end_address="&#x24;74EF6000" size="24576"/>
<load_dll filename="c:\windows\system32\SETUPAPI.dll" successful="1" address="&#x24;778F0000" end_address="&#x24;779E4000" size="999424"/>
<load_dll filename="C:\WINDOWS\system32\WINTRUST.dll" successful="1" address="&#x24;76BF0000" end_address="&#x24;76C1E000" size="188416"/>
<load_dll filename="C:\WINDOWS\system32\CRYPT32.dll" successful="1" address="&#x24;77A50000" end_address="&#x24;77AE6000" size="614400"/>
<load_dll filename="C:\WINDOWS\system32\MSASN1.dll" successful="1" address="&#x24;77AF0000" end_address="&#x24;77B02000" size="73728"/>
<load_dll filename="C:\WINDOWS\system32\IMAGEHLP.dll" successful="1" address="&#x24;76C50000" end_address="&#x24;76C78000" size="163840"/>
<load_dll filename="c:\windows\system32\AUTHZ.dll" successful="1" address="&#x24;77690000" end_address="&#x24;776A2000" size="73728"/>
<load_dll filename="c:\windows\system32\mstlsapi.dll" successful="1" address="&#x24;75090000" end_address="&#x24;750AF000" size="126976"/>
<load_dll filename="c:\windows\system32\ACTIVEDS.dll" successful="1" address="&#x24;77C90000" end_address="&#x24;77CC2000" size="204800"/>
<load_dll filename="c:\windows\system32\adsldpc.dll" successful="1" address="&#x24;76DD0000" end_address="&#x24;76DF5000" size="151552"/>
<load_dll filename="C:\WINDOWS\system32\NETAPI32.dll" successful="1" address="&#x24;597D0000" end_address="&#x24;59825000" size="348160"/>
<load_dll filename="c:\windows\system32\ATL.DLL" successful="1" address="&#x24;76AD0000" end_address="&#x24;76AE1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\REGAPI.dll" successful="1" address="&#x24;76B70000" end_address="&#x24;76B7F000" size="61440"/>
<load_dll filename="C:\WINDOWS\system32\rsaenh.dll" successful="1" address="&#x24;68000000" end_address="&#x24;68036000" size="221184"/>
<load_dll filename="C:\WINDOWS\system32\Apphelp.dll" successful="1" address="&#x24;77B10000" end_address="&#x24;77B32000" size="139264"/>
<load_dll filename="C:\WINDOWS\system32\pstorec.dll" successful="1" address="&#x24;5E490000" end_address="&#x24;5E49D000" size="53248"/>
</dll_handling_section>
</process>
<process index="3" pid="2772" filename="c:\PostalGusanito.exe" filesize="239424" md5="30ccf558ea5d08e830942f9cb4a03e26" sha1="54e4a1b6b5b145fa0b659b1c583aa732c2442458" username="Administrator" parentindex="1" starttime="00:10.297" terminationtime="00:29.156" startreason="CreateProcess" terminationreason="NormalTermination" executionstatus="OK">
<dll_handling_section>
<load_image filename="c:\PostalGusanito.exe" successful="1" address="&#x24;400000" end_address="&#x24;41D000" size="118784"/>
<load_dll filename="C:\WINDOWS\system32\ntdll.dll" successful="1" address="&#x24;7C910000" end_address="&#x24;7C9C9000" size="757760" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\kernel32.dll" successful="1" address="&#x24;7C800000" end_address="&#x24;7C908000" size="1081344"/>
<load_dll filename="C:\WINDOWS\system32\user32.dll" successful="1" address="&#x24;7E360000" end_address="&#x24;7E3F1000" size="593920" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\GDI32.dll" successful="1" address="&#x24;77EF0000" end_address="&#x24;77F39000" size="299008"/>
<load_dll filename="C:\WINDOWS\system32\advapi32.dll" successful="1" address="&#x24;77DA0000" end_address="&#x24;77E4A000" size="696320" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\RPCRT4.dll" successful="1" address="&#x24;77E50000" end_address="&#x24;77EE2000" size="598016"/>
<load_dll filename="C:\WINDOWS\system32\Secur32.dll" successful="1" address="&#x24;77FC0000" end_address="&#x24;77FD1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\oleaut32.dll" successful="1" address="&#x24;770F0000" end_address="&#x24;7717B000" size="569344"/>
<load_dll filename="C:\WINDOWS\system32\msvcrt.dll" successful="1" address="&#x24;77BE0000" end_address="&#x24;77C38000" size="360448"/>
<load_dll filename="C:\WINDOWS\system32\ole32.dll" successful="1" address="&#x24;774B0000" end_address="&#x24;775ED000" size="1298432"/>
<load_dll filename="C:\WINDOWS\system32\IMM32.DLL" successful="1" address="&#x24;76330000" end_address="&#x24;7634D000" size="118784" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\pstorec.dll" successful="1" address="&#x24;5E490000" end_address="&#x24;5E49D000" size="53248"/>
<load_dll filename="C:\WINDOWS\system32\ATL.DLL" successful="1" address="&#x24;76AD0000" end_address="&#x24;76AE1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\ws2_32.dll" successful="1" address="&#x24;71A10000" end_address="&#x24;71A27000" size="94208"/>
<load_dll filename="C:\WINDOWS\system32\wininet.dll" successful="1" address="&#x24;441E0000" end_address="&#x24;442B0000" size="851968"/>
<load_dll filename="C:\WINDOWS\system32\shell32.dll" successful="1" address="&#x24;7E670000" end_address="&#x24;7EE91000" size="8523776"/>
</dll_handling_section>
<filesystem_section>
<create_directory filetype="file" srcfile="C:\RECYCLER"/>
<set_file_attributes filetype="file" srcfile="C:\RECYCLER" desiredaccess="FILE_ANY_ACCESS" flags="FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS"/>
<create_directory filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728"/>
<set_file_attributes filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728" desiredaccess="FILE_ANY_ACCESS" flags="FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS"/>
<create_file filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini" creationdistribution="CREATE_ALWAYS" desiredaccess="FILE_ANY_ACCESS" flags="FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS" stored_as="e783bdd20a976eaeaae1ff4624487420.ini"/>
</filesystem_section>
<registry_section>
<open_key key="HKEY_CURRENT_USER\Keyboard Layout\Preload"/>
</registry_section>
<process_section>
<enum_modules targetpid="2772" apifunction="RtlQueryProcessDebugInformation" quantity="2"/>
<enum_processes apifunction="Process32First" quantity="2"/>
<open_process targetpid="1704" desiredaccess="PROCESS_CREATE_THREAD PROCESS_DUP_HANDLE PROCESS_QUERY_INFORMATION PROCESS_VM_OPERATION PROCESS_VM_READ PROCESS_VM_WRITE" apifunction="NtOpenProcess" successful="1"/>
<open_process targetpid="4" desiredaccess="PROCESS_CREATE_THREAD PROCESS_DUP_HANDLE PROCESS_QUERY_INFORMATION PROCESS_VM_OPERATION PROCESS_VM_READ PROCESS_VM_WRITE" apifunction="NtOpenProcess" successful="1"/>
<kill_process targetpid="2772" apifunction="NtTerminateProcess"/>
</process_section>
<system_section>
<sleep milliseconds="1" quantity="768"/>
<sleep milliseconds="500"/>
<sleep milliseconds="2000"/>
</system_section>
<system_info_section>
<get_system_time apifunction="GetLocalTime"/>
<get_system_directory/>
</system_info_section>
<thread_section>
<create_thread targetpid="2772" threadid="2808" address="&#x24;77DC848A" parameteraddress="&#x24;00000000"/>
<create_thread_remote targetpid="1704" threadid="2812" address="&#x24;01E51A80" parameteraddress="&#x24;01E60000" creationflags="CREATE_SUSPENDED"/>
</thread_section>
<user_section>
<get_username tokenhandle="0"/>
</user_section>
<virtual_memory_section>
<vm_protect targetpid="2772" wantedaddress="&#x24;44200BCA" address="&#x24;44200000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.InternetOpenUrlA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;44200BCA" address="&#x24;44200000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.InternetOpenUrlA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;4424AF69" address="&#x24;4424A000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.InternetOpenUrlW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;4424AF69" address="&#x24;4424A000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.InternetOpenUrlW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F4321" address="&#x24;441F4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.HttpOpenRequestA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F4321" address="&#x24;441F4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.HttpOpenRequestA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F5D42" address="&#x24;441F5000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.HttpOpenRequestW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F5D42" address="&#x24;441F5000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.HttpOpenRequestW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F497A" address="&#x24;441F4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.InternetConnectA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F497A" address="&#x24;441F4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.InternetConnectA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F5B68" address="&#x24;441F5000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="WININET.dll.InternetConnectW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;441F5B68" address="&#x24;441F5000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="WININET.dll.InternetConnectW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E77410F" address="&#x24;7E774000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="SHELL32.dll.SHLoadInProc"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E77410F" address="&#x24;7E774000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="SHELL32.dll.SHLoadInProc"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6F11E0" address="&#x24;7E6F1000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="SHELL32.dll.ShellExecuteA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6F11E0" address="&#x24;7E6F1000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="SHELL32.dll.ShellExecuteA"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E765D48" address="&#x24;7E765000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="SHELL32.dll.ShellExecuteW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E765D48" address="&#x24;7E765000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="SHELL32.dll.ShellExecuteW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6B996B" address="&#x24;7E6B9000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="SHELL32.dll.ShellExecuteExW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6B996B" address="&#x24;7E6B9000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="SHELL32.dll.ShellExecuteExW"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6F0EB5" address="&#x24;7E6F0000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal" target="SHELL32.dll.ShellExecuteEx"/>
<vm_protect targetpid="2772" wantedaddress="&#x24;7E6F0EB5" address="&#x24;7E6F0000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal" target="SHELL32.dll.ShellExecuteEx"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;01670000" wantedsize="3566" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="1704" address="&#x24;01670000" size="3566" behavior="Normal"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;01D70000" wantedsize="2280" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="1704" address="&#x24;01D70000" size="2280" behavior="Normal"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;01E40000" wantedsize="576" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="1704" address="&#x24;01E40000" size="576" behavior="Normal"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;01E50000" wantedsize="64730" size="65536" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="1704" address="&#x24;01E50000" size="64730" behavior="Normal"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;01E60000" wantedsize="1732" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="1704" address="&#x24;01E60000" size="1732" behavior="Normal"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;00000000" address="&#x24;02A10000" wantedsize="1048576" size="1048576" protect="PAGE_READWRITE" allocationtype="MEM_RESERVE"/>
<vm_allocate targetpid="1704" wantedaddress="&#x24;02AEF000" address="&#x24;02AEF000" wantedsize="135168" size="135168" protect="PAGE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_protect targetpid="1704" wantedaddress="&#x24;02AEF000" address="&#x24;02AEF000" wantedsize="4096" size="4096" protect="PAGE_READWRITE PAGE_GUARD" behavior="Normal"/>
<vm_allocate targetpid="4" wantedaddress="&#x24;00000000" address="&#x24;00040000" wantedsize="256" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="4" address="&#x24;00040000" size="256" behavior="Normal"/>
<vm_allocate targetpid="4" wantedaddress="&#x24;00000000" address="&#x24;00050000" wantedsize="284" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="4" address="&#x24;00050000" size="284" behavior="Normal"/>
<vm_allocate targetpid="4" wantedaddress="&#x24;00000000" address="&#x24;00170000" wantedsize="256" size="4096" protect="PAGE_EXECUTE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_write targetpid="4" address="&#x24;00170000" size="256" behavior="Normal"/>
<vm_allocate targetpid="4" wantedaddress="&#x24;00000000" address="&#x24;00180000" wantedsize="1048576" size="1048576" protect="PAGE_READWRITE" allocationtype="MEM_RESERVE"/>
<vm_allocate targetpid="4" wantedaddress="&#x24;0025F000" address="&#x24;0025F000" wantedsize="135168" size="135168" protect="PAGE_READWRITE" allocationtype="MEM_COMMIT"/>
<vm_protect targetpid="4" wantedaddress="&#x24;0025F000" address="&#x24;0025F000" wantedsize="4096" size="4096" protect="PAGE_READWRITE PAGE_GUARD" behavior="Normal"/>
</virtual_memory_section>
<stored_created_files_section>
<stored_created_file srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini" dstfile="e783bdd20a976eaeaae1ff4624487420.ini" filesize="63"/>
</stored_created_files_section>
</process>
<process index="4" pid="1704" filename="C:\WINDOWS\Explorer.EXE" filesize="1036800" md5="418045a93cd87a352098ab7dabe1b53e" sha1="98b9ad668e0727be888b861f49aac0f72725e634" username="Administrator" parentindex="3" starttime="00:25.922" terminationtime="02:01.469" startreason="InjectedCode" terminationreason="Timeout" executionstatus="OK">
<dll_handling_section>
<load_image filename="C:\WINDOWS\Explorer.EXE" successful="1" address="&#x24;1000000" end_address="&#x24;10FF000" size="1044480"/>
<load_dll filename="C:\WINDOWS\system32\ntdll.dll" successful="1" address="&#x24;7C910000" end_address="&#x24;7C9C9000" size="757760"/>
<load_dll filename="C:\WINDOWS\system32\kernel32.dll" successful="1" address="&#x24;7C800000" end_address="&#x24;7C908000" size="1081344"/>
<load_dll filename="C:\WINDOWS\system32\ADVAPI32.dll" successful="1" address="&#x24;77DA0000" end_address="&#x24;77E4A000" size="696320"/>
<load_dll filename="C:\WINDOWS\system32\RPCRT4.dll" successful="1" address="&#x24;77E50000" end_address="&#x24;77EE2000" size="598016"/>
<load_dll filename="C:\WINDOWS\system32\Secur32.dll" successful="1" address="&#x24;77FC0000" end_address="&#x24;77FD1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\BROWSEUI.dll" successful="1" address="&#x24;75F20000" end_address="&#x24;7601D000" size="1036288"/>
<load_dll filename="C:\WINDOWS\system32\GDI32.dll" successful="1" address="&#x24;77EF0000" end_address="&#x24;77F39000" size="299008"/>
<load_dll filename="C:\WINDOWS\system32\USER32.dll" successful="1" address="&#x24;7E360000" end_address="&#x24;7E3F1000" size="593920"/>
<load_dll filename="C:\WINDOWS\system32\msvcrt.dll" successful="1" address="&#x24;77BE0000" end_address="&#x24;77C38000" size="360448"/>
<load_dll filename="C:\WINDOWS\system32\ole32.dll" successful="1" address="&#x24;774B0000" end_address="&#x24;775ED000" size="1298432"/>
<load_dll filename="C:\WINDOWS\system32\SHLWAPI.dll" successful="1" address="&#x24;77F40000" end_address="&#x24;77FB6000" size="483328"/>
<load_dll filename="C:\WINDOWS\system32\OLEAUT32.dll" successful="1" address="&#x24;770F0000" end_address="&#x24;7717B000" size="569344"/>
<load_dll filename="C:\WINDOWS\system32\SHDOCVW.dll" successful="1" address="&#x24;7E1E0000" end_address="&#x24;7E351000" size="1511424"/>
<load_dll filename="C:\WINDOWS\system32\CRYPT32.dll" successful="1" address="&#x24;77A50000" end_address="&#x24;77AE6000" size="614400"/>
<load_dll filename="C:\WINDOWS\system32\MSASN1.dll" successful="1" address="&#x24;77AF0000" end_address="&#x24;77B02000" size="73728"/>
<load_dll filename="C:\WINDOWS\system32\CRYPTUI.dll" successful="1" address="&#x24;76880000" end_address="&#x24;76905000" size="544768"/>
<load_dll filename="C:\WINDOWS\system32\NETAPI32.dll" successful="1" address="&#x24;597D0000" end_address="&#x24;59825000" size="348160"/>
<load_dll filename="C:\WINDOWS\system32\VERSION.dll" successful="1" address="&#x24;77BD0000" end_address="&#x24;77BD8000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\WININET.dll" successful="1" address="&#x24;441E0000" end_address="&#x24;442B0000" size="851968"/>
<load_dll filename="C:\WINDOWS\system32\Normaliz.dll" successful="1" address="&#x24;400000" end_address="&#x24;409000" size="36864"/>
<load_dll filename="C:\WINDOWS\system32\iertutil.dll" successful="1" address="&#x24;43F60000" end_address="&#x24;43FA5000" size="282624"/>
<load_dll filename="C:\WINDOWS\system32\WINTRUST.dll" successful="1" address="&#x24;76BF0000" end_address="&#x24;76C1E000" size="188416"/>
<load_dll filename="C:\WINDOWS\system32\IMAGEHLP.dll" successful="1" address="&#x24;76C50000" end_address="&#x24;76C78000" size="163840"/>
<load_dll filename="C:\WINDOWS\system32\WLDAP32.dll" successful="1" address="&#x24;76F20000" end_address="&#x24;76F4D000" size="184320"/>
<load_dll filename="C:\WINDOWS\system32\SHELL32.dll" successful="1" address="&#x24;7E670000" end_address="&#x24;7EE91000" size="8523776"/>
<load_dll filename="C:\WINDOWS\system32\UxTheme.dll" successful="1" address="&#x24;5B0F0000" end_address="&#x24;5B128000" size="229376"/>
<load_dll filename="C:\WINDOWS\system32\ShimEng.dll" successful="1" address="&#x24;5CF00000" end_address="&#x24;5CF26000" size="155648"/>
<load_dll filename="C:\WINDOWS\AppPatch\AcGenral.DLL" successful="1" address="&#x24;6FD90000" end_address="&#x24;6FF5A000" size="1875968"/>
<load_dll filename="C:\WINDOWS\system32\WINMM.dll" successful="1" address="&#x24;76AF0000" end_address="&#x24;76B1E000" size="188416"/>
<load_dll filename="C:\WINDOWS\system32\MSACM32.dll" successful="1" address="&#x24;77BB0000" end_address="&#x24;77BC5000" size="86016"/>
<load_dll filename="C:\WINDOWS\system32\USERENV.dll" successful="1" address="&#x24;76620000" end_address="&#x24;766D6000" size="745472"/>
<load_dll filename="C:\WINDOWS\system32\IMM32.DLL" successful="1" address="&#x24;76330000" end_address="&#x24;7634D000" size="118784"/>
<load_dll filename="C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\" successful="1" address="&#x24;773A0000" end_address="&#x24;774A3000" size="1060864"/>
<load_dll filename="C:\WINDOWS\system32\comctl32.dll" successful="1" address="&#x24;5D450000" end_address="&#x24;5D4EA000" size="630784"/>
<load_dll filename="C:\WINDOWS\system32\msctfime.ime" successful="1" address="&#x24;75250000" end_address="&#x24;7527E000" size="188416"/>
<load_dll filename="C:\WINDOWS\system32\appHelp.dll" successful="1" address="&#x24;77B10000" end_address="&#x24;77B32000" size="139264"/>
<load_dll filename="C:\WINDOWS\system32\CLBCATQ.DLL" successful="1" address="&#x24;76F90000" end_address="&#x24;7700F000" size="520192"/>
<load_dll filename="C:\WINDOWS\system32\COMRes.dll" successful="1" address="&#x24;77010000" end_address="&#x24;770E3000" size="864256"/>
<load_dll filename="C:\WINDOWS\System32\cscui.dll" successful="1" address="&#x24;779F0000" end_address="&#x24;77A46000" size="352256"/>
<load_dll filename="C:\WINDOWS\System32\CSCDLL.dll" successful="1" address="&#x24;765A0000" end_address="&#x24;765BD000" size="118784"/>
<load_dll filename="C:\WINDOWS\system32\themeui.dll" successful="1" address="&#x24;5B9B0000" end_address="&#x24;5BA22000" size="466944"/>
<load_dll filename="C:\WINDOWS\system32\MSIMG32.dll" successful="1" address="&#x24;76320000" end_address="&#x24;76325000" size="20480"/>
<load_dll filename="C:\WINDOWS\system32\xpsp2res.dll" successful="1" address="&#x24;1100000" end_address="&#x24;13D9000" size="2985984"/>
<load_dll filename="C:\WINDOWS\system32\ACTXPRXY.DLL" successful="1" address="&#x24;71CC0000" end_address="&#x24;71CDB000" size="110592"/>
<load_dll filename="C:\WINDOWS\system32\msutb.dll" successful="1" address="&#x24;60010000" end_address="&#x24;60043000" size="208896"/>
<load_dll filename="C:\WINDOWS\system32\MSCTF.dll" successful="1" address="&#x24;746A0000" end_address="&#x24;746EC000" size="311296"/>
<load_dll filename="C:\WINDOWS\system32\SAMLIB.dll" successful="1" address="&#x24;71B70000" end_address="&#x24;71B83000" size="77824"/>
<load_dll filename="C:\WINDOWS\system32\ieframe.dll" successful="1" address="&#x24;444C0000" end_address="&#x24;44A8D000" size="6082560"/>
<load_dll filename="C:\WINDOWS\system32\PSAPI.DLL" successful="1" address="&#x24;76BB0000" end_address="&#x24;76BBB000" size="45056"/>
<load_dll filename="C:\WINDOWS\system32\urlmon.dll" successful="1" address="&#x24;452E0000" end_address="&#x24;45407000" size="1208320"/>
<load_dll filename="C:\WINDOWS\system32\LINKINFO.dll" successful="1" address="&#x24;76930000" end_address="&#x24;76938000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\ntshrui.dll" successful="1" address="&#x24;76940000" end_address="&#x24;76966000" size="155648"/>
<load_dll filename="C:\WINDOWS\system32\ATL.DLL" successful="1" address="&#x24;76AD0000" end_address="&#x24;76AE1000" size="69632"/>
<load_dll filename="C:\WINDOWS\system32\mshtml.dll" successful="1" address="&#x24;41BE0000" end_address="&#x24;41F54000" size="3620864"/>
<load_dll filename="C:\WINDOWS\system32\msls31.dll" successful="1" address="&#x24;14E0000" end_address="&#x24;1509000" size="167936"/>
<load_dll filename="C:\WINDOWS\system32\SETUPAPI.dll" successful="1" address="&#x24;778F0000" end_address="&#x24;779E4000" size="999424"/>
<load_dll filename="C:\WINDOWS\system32\ws2_32.dll" successful="1" address="&#x24;71A10000" end_address="&#x24;71A27000" size="94208" quantity="2"/>
<load_dll filename="C:\WINDOWS\system32\WS2HELP.dll" successful="1" address="&#x24;71A00000" end_address="&#x24;71A08000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\RASAPI32.dll" successful="1" address="&#x24;76EA0000" end_address="&#x24;76EDC000" size="245760"/>
<load_dll filename="C:\WINDOWS\system32\rasman.dll" successful="1" address="&#x24;76E50000" end_address="&#x24;76E62000" size="73728"/>
<load_dll filename="C:\WINDOWS\system32\TAPI32.dll" successful="1" address="&#x24;76E70000" end_address="&#x24;76E9F000" size="192512"/>
<load_dll filename="C:\WINDOWS\system32\rtutils.dll" successful="1" address="&#x24;76E40000" end_address="&#x24;76E4E000" size="57344"/>
<load_dll filename="C:\WINDOWS\system32\NETSHELL.dll" successful="1" address="&#x24;763A0000" end_address="&#x24;7654A000" size="1744896"/>
<load_dll filename="C:\WINDOWS\system32\credui.dll" successful="1" address="&#x24;76BC0000" end_address="&#x24;76BEF000" size="192512"/>
<load_dll filename="C:\WINDOWS\system32\dot3api.dll" successful="1" address="&#x24;5F8F0000" end_address="&#x24;5F8FA000" size="40960"/>
<load_dll filename="C:\WINDOWS\system32\dot3dlg.dll" successful="1" address="&#x24;71260000" end_address="&#x24;71266000" size="24576"/>
<load_dll filename="C:\WINDOWS\system32\OneX.DLL" successful="1" address="&#x24;72760000" end_address="&#x24;72788000" size="163840"/>
<load_dll filename="C:\WINDOWS\system32\WTSAPI32.dll" successful="1" address="&#x24;76F10000" end_address="&#x24;76F18000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\WINSTA.dll" successful="1" address="&#x24;76300000" end_address="&#x24;76310000" size="65536"/>
<load_dll filename="C:\WINDOWS\system32\eappcfg.dll" successful="1" address="&#x24;6DB40000" end_address="&#x24;6DB62000" size="139264"/>
<load_dll filename="C:\WINDOWS\system32\MSVCP60.dll" successful="1" address="&#x24;76020000" end_address="&#x24;76085000" size="413696"/>
<load_dll filename="C:\WINDOWS\system32\eappprxy.dll" successful="1" address="&#x24;47700000" end_address="&#x24;4770E000" size="57344"/>
<load_dll filename="C:\WINDOWS\system32\iphlpapi.dll" successful="1" address="&#x24;76D20000" end_address="&#x24;76D39000" size="102400"/>
<load_dll filename="C:\WINDOWS\system32\rsaenh.dll" successful="1" address="&#x24;68000000" end_address="&#x24;68036000" size="221184"/>
<load_dll filename="C:\WINDOWS\system32\msimtf.dll" successful="1" address="&#x24;74670000" end_address="&#x24;7469A000" size="172032"/>
<load_dll filename="C:\WINDOWS\system32\webcheck.dll" successful="1" address="&#x24;44410000" end_address="&#x24;4444C000" size="245760"/>
<load_dll filename="C:\WINDOWS\system32\stobject.dll" successful="1" address="&#x24;765C0000" end_address="&#x24;765E1000" size="135168"/>
<load_dll filename="C:\WINDOWS\system32\BatMeter.dll" successful="1" address="&#x24;74A70000" end_address="&#x24;74A7A000" size="40960"/>
<load_dll filename="C:\WINDOWS\system32\POWRPROF.dll" successful="1" address="&#x24;74A50000" end_address="&#x24;74A58000" size="32768"/>
<load_dll filename="C:\WINDOWS\system32\WPDShServiceObj.dll" successful="1" address="&#x24;164A0000" end_address="&#x24;164C3000" size="143360"/>
<load_dll filename="C:\WINDOWS\system32\WINHTTP.dll" successful="1" address="&#x24;4D5C0000" end_address="&#x24;4D619000" size="364544"/>
<load_dll filename="C:\WINDOWS\system32\mydocs.dll" successful="1" address="&#x24;723A0000" end_address="&#x24;723BA000" size="106496"/>
<load_dll filename="C:\WINDOWS\system32\PortableDeviceTypes.dll" successful="1" address="&#x24;109C0000" end_address="&#x24;109EC000" size="180224"/>
<load_dll filename="C:\WINDOWS\system32\PortableDeviceApi.dll" successful="1" address="&#x24;10930000" end_address="&#x24;10979000" size="299008"/>
<load_dll filename="C:\WINDOWS\system32\msv1_0.dll" successful="1" address="&#x24;77C40000" end_address="&#x24;77C64000" size="147456"/>
<load_dll filename="C:\WINDOWS\system32\sensapi.dll" successful="1" address="&#x24;72240000" end_address="&#x24;72245000" size="20480"/>
<load_dll filename="C:\WINDOWS\system32\pstorec.dll" successful="1" address="&#x24;5E490000" end_address="&#x24;5E49D000" size="53248"/>
</dll_handling_section>
<filesystem_section>
<copy_file filetype="file" srcfile="c:\PostalGusanito.exe" dstfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe" creationdistribution="CREATE_ALWAYS" desiredaccess="FILE_ANY_ACCESS" flags="SECURITY_ANONYMOUS" stored_as="30ccf558ea5d08e830942f9cb4a03e26.exe"/>
<set_file_attributes filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe" desiredaccess="FILE_ANY_ACCESS" flags="FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS"/>
<create_open_file filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe" creationdistribution="OPEN_ALWAYS" desiredaccess="FILE_ANY_ACCESS" shareaccess="FILE_SHARE_READ" flags="SECURITY_ANONYMOUS" stored_as="30ccf558ea5d08e830942f9cb4a03e26.exe"/>
<create_open_file filetype="file" srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\Desktop.ini" creationdistribution="OPEN_ALWAYS" desiredaccess="FILE_ANY_ACCESS" shareaccess="FILE_SHARE_READ" flags="SECURITY_ANONYMOUS"/>
<create_namedpipe filetype="namedpipe" srcfile="\\.\pipe\roo000uuattt" desiredaccess="FILE_ANY_ACCESS" flags="SECURITY_ANONYMOUS" namedpipeopenmode="PIPE_ACCESS_INBOUND"/>
<create_open_file filetype="file" srcfile="\Device\RasAcd" creationdistribution="OPEN_ALWAYS" desiredaccess="FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE" shareaccess="FILE_SHARE_READ FILE_SHARE_WRITE" flags="FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS" quantity="2"/>
<open_file filetype="namedpipe" srcfile="\\.\PIPE\lsarpc" creationdistribution="OPEN_EXISTING" desiredaccess="FILE_ANY_ACCESS" shareaccess="FILE_SHARE_READ FILE_SHARE_WRITE" flags="SECURITY_ANONYMOUS"/>
</filesystem_section>
<mutex_section>
<create_mutex name="roo000uuaaat" owned="0"/>
</mutex_section>
<registry_section>
<open_key key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" quantity="26"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" value="Taskman" quantity="26"/>
<set_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" value="Taskman" data="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe"/>
<open_key key="HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF"/>
<query_value key="HKEY_CURRENT_USER\Software\Microsoft\CTF" value="Disable Thread Input Manager"/>
<open_key key="HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared" value="CUAS"/>
<open_key key="HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService"/>
<query_value key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService" value="DefaultAuthLevel"/>
</registry_section>
<system_section>
<sleep milliseconds="10000"/>
<sleep milliseconds="10" quantity="5153"/>
</system_section>
<user_section>
<get_username tokenhandle="0"/>
</user_section>
<virtual_memory_section>
<vm_protect targetpid="1704" wantedaddress="&#x24;719D4174" address="&#x24;719D4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READWRITE" behavior="Normal"/>
<vm_protect targetpid="1704" wantedaddress="&#x24;719D4174" address="&#x24;719D4000" wantedsize="8" size="4096" protect="PAGE_EXECUTE_READ" behavior="Normal"/>
</virtual_memory_section>
<window_section>
<create_window hwnd="&#x24;00020146" classname="IME" windowname="Default IME" height="0" width="0" top="0" left="0" style="WS_DISABLED WS_OVERLAPPED WS_POPUP WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR"/>
<create_window hwnd="&#x24;00020144" classname="nobbclass" windowname="nobbclass" height="2147483648" width="2147483648" top="174" left="132" style="WS_OVERLAPPED WS_TILED" exstyle="WS_EX_LEFT WS_EX_LTRREADING WS_EX_RIGHTSCROLLBAR"/>
</window_section>
<winsock_section>
<connections_unknown>
<connection connectionestablished="0" socket="0">
<gethostbyname requested_host="infotechpro.info" resulting_addr="216.66.76.209"></gethostbyname><gethostbyname requested_host="dell-d3e62f7e26" resulting_addr="10.1.8.2"></gethostbyname>
</connection>
</connections_unknown>
<connections_udp>
<connection transportprotocol="UDP" remoteaddr="216.66.76.209" remoteport="7006" protocol="Unknown" connectionestablished="1" socket="3160">
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="7"/>
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="3" quantity="6"/>
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="60"/>
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="17" quantity="3"/>
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="30"/>
<send_datagram remoteaddr="216.66.76.209" remoteport="7006" size="1"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="0" quantity="5103"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="8" quantity="2"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="3" quantity="5"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="81"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="7"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="62"/>
<recv_datagram localport="0" remoteaddr="216.66.76.209" remoteport="7006" size="6"/>
<plain_communication_data>
<send>
<dump_line offset="&#x24;0000" dump="61 A9 0F 3B 29 2B 68                            " ascii="a..;&#x29;&#x2B;h"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="40 A9 0F 4B DF C2 A8 48                         " ascii="&#x40;..K...H"/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 A9 0F                                        " ascii="..."/>
</send>
<send>
<dump_line offset="&#x24;0000" dump="01 A9 0F 4B 8A 8B 0D 58 59 1D 1C 0C 19 18 3D 34 " ascii="...K...XY.....=4"/>
<dump_line offset="&#x24;0010" dump="30 37 30 2A 2D 2B 38 2D 36 2B 59 20 36 2A 31 30 " ascii="070&#x2A;-&#x2B;8-6&#x2B;Y 6&#x2A;10"/>
<dump_line offset="&#x24;0020" dump="77 30 37 3F 36 2B 34 38 2D 30 32 77 2C 37 30 74 " ascii="w07&#x3F;6&#x2B;48-02w,70t"/>
<dump_line offset="&#x24;0030" dump="34 38 37 37 31 3C 30 34 77 3D 3C 59             " ascii="48771&#x3C;04w=&#x3C;Y"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="80 A9 0F                                        " ascii="..."/>
</recv>
<recv>
<dump_line offset="&#x24;0000" dump="01 E9 FB F9 80 DC CD 8C 94 98 89 8C 80 88 CD 8C " ascii="................"/>
<dump_line offset="&#x24;0010" dump="CD 88 81 88 8A 84 9F CD 82 86 D2 CD CD 85 99 99 " ascii="................"/>
<dump_line offset="&#x24;0020" dump="9D D7 C2 C2 9B 84 89 88 9D 82 9E 99 8C 81 88 9E " ascii="................"/>
<dump_line offset="&#x24;0030" dump="C3 82 83 99 85 88 9A 88 8F C3 83 98 C2 89 8C 99 " ascii="................"/>
<dump_line offset="&#x24;0040" dump="8C C2 88 83 99 9F 88 8A 8C 9B 84 9F 99 98 8C 81 " ascii="................"/>
<dump_line offset="&#x24;0050" dump="C2                                              " ascii="."/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 E9 FB                                        " ascii="..."/>
</send>
<send>
<dump_line offset="&#x24;0000" dump="0D AA 0F 8B 5A 5A 5A 06 BD EA 1C 3B 33 36 3F 3E " ascii="....ZZZ....;36&#x3F;&#x3E;"/>
<dump_line offset="&#x24;0010" dump="7B                                              " ascii="&#x7B;"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="01 EA FB FA 8D 86 DE                            " ascii="......."/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 EA FB                                        " ascii="..."/>
</send>
<send>
<dump_line offset="&#x24;0000" dump="0D AB 0F 8A 5B 5B 5B 5B 5B 52 1D 3A 32 37 3E 3F " ascii="....[[[[[R.:27&#x3E;&#x3F;"/>
<dump_line offset="&#x24;0010" dump="7A                                              " ascii="z"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="01 EB FB FB 8C 87 DE CF DE DE D9 C1 DF C1 DE D8 " ascii="................"/>
<dump_line offset="&#x24;0010" dump="C1 DE DE D6 AF DD DF DF C1 DC DE C1 DD DF D9 C1 " ascii="................"/>
<dump_line offset="&#x24;0020" dump="D7 DC C3 DD DF DF C1 DC DF C1 DE DF DF C1 DE DF " ascii="................"/>
<dump_line offset="&#x24;0030" dump="D7 C3 DE D6 DF C1 D9 D9 C1 D9 C1 DD D9 D4       " ascii=".............."/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 EB FB                                        " ascii="..."/>
</send>
<send>
<dump_line offset="&#x24;0000" dump="0D AC 0F 8D 5C 5C 5C 3D 5C 5C 1A 3D 35 30 39 38 " ascii="....\\\=\\.=5098"/>
<dump_line offset="&#x24;0010" dump="7D                                              " ascii="&#x7D;"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="01 EC FB FC 9D D9                               " ascii="......"/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 EC FB                                        " ascii="..."/>
</send>
<send>
<dump_line offset="&#x24;0000" dump="0D AD 0F 8C 5D 5D 5D 3C 5D 5D 08 0E 1F 7D 2E 2D " ascii="....]]]&#x3C;]]...&#x7D;.-"/>
<dump_line offset="&#x24;0010" dump="2F 38 3C 39 38 2F 7D 2F 28 33 33 34 33 3A       " ascii="/8&#x3C;98/&#x7D;/&#x28;3343:"/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="01 ED FB FD 9A D8 C9 D8                         " ascii="........"/>
</recv>
<send>
<dump_line offset="&#x24;0000" dump="80 ED FB                                        " ascii="..."/>
</send>
<recv>
<dump_line offset="&#x24;0000" dump="80 AA 0F                                        " ascii="..."/>
</recv>
<recv>
<dump_line offset="&#x24;0000" dump="80 AB 0F                                        " ascii="..."/>
</recv>
</plain_communication_data>
</connection>
</connections_udp>
</winsock_section>
<windows_hook_section>
<set_windows_hook hookid="WH_KEYBOARD" threadid="2812" hook_address="&#x24;746B07C3" hook_module="&#x24;746A0000"/>
<set_windows_hook hookid="WH_MOUSE" threadid="2812" hook_address="&#x24;746B04CD" hook_module="&#x24;746A0000"/>
</windows_hook_section>
<stored_created_files_section>
<stored_created_file srcfile="C:\RECYCLER\S-1-5-21-5958425421-3957254089-243659589-2728\xpupdate.exe" dstfile="30ccf558ea5d08e830942f9cb4a03e26.exe" filesize="239424"/>
</stored_created_files_section>
</process>
<process index="5" pid="792" filename="C:\WINDOWS\system32\services.exe" filesize="111104" md5="a3edbe9053889fb24ab22492472b39dc" sha1="7153d4d113c47379fb57aad4918a2f2a64f0c9ee" username="SYSTEM" parentindex="0" starttime="00:38.047" terminationtime="02:01.656" startreason="SCM" terminationreason="Timeout" executionstatus="OK">
</process>
</processes>
<running_processes>
<running_process pid="0" filename="&#x28;SystemIdle&#x29;"/>
<running_process pid="4" filename="&#x28;System&#x29;"/>
<running_process pid="212" filename="C:\WINDOWS\System32\alg.exe"/>
<running_process pid="244" filename="C:\WINDOWS\system32\wbem\wmiprvse.exe"/>
<running_process pid="372" filename="C:\WINDOWS\system32\svchost.exe" cmdline_parameters="-k LocalService"/>
<running_process pid="632" filename="C:\WINDOWS\system32\SearchIndexer.exe" cmdline_parameters="/Embedding"/>
<running_process pid="676" filename="C:\WINDOWS\System32\smss.exe"/>
<running_process pid="724" filename="C:\WINDOWS\system32\csrss.exe"/>
<running_process pid="748" filename="C:\WINDOWS\system32\winlogon.exe"/>
<running_process pid="792" filename="C:\WINDOWS\system32\services.exe"/>
<running_process pid="804" filename="C:\WINDOWS\system32\lsass.exe"/>
<running_process pid="980" filename="C:\WINDOWS\system32\svchost.exe" cmdline_parameters="-k DcomLaunch"/>
<running_process pid="1052" filename="C:\WINDOWS\system32\svchost.exe" cmdline_parameters="-k rpcss"/>
<running_process pid="1148" filename="C:\WINDOWS\System32\svchost.exe" cmdline_parameters="-k netsvcs"/>
<running_process pid="1244" filename="C:\WINDOWS\system32\svchost.exe" cmdline_parameters="-k NetworkService"/>
<running_process pid="1316" filename="C:\WINDOWS\system32\svchost.exe" cmdline_parameters="-k LocalService"/>
<running_process pid="1376" filename="C:\WINDOWS\system32\verclsid.exe" cmdline_parameters="/S /C &#x7B;2559A1F5-21D7-11D4-BDAF-00C04F60B9F0&#x7D;"/>
<running_process pid="1496" filename="C:\WINDOWS\system32\spoolsv.exe"/>
<running_process pid="1668" filename="C:\WINDOWS\system32\userinit.exe"/>
<running_process pid="1692" filename="C:\WINDOWS\system32\WgaTray.exe"/>
<running_process pid="1704" filename="C:\WINDOWS\Explorer.EXE"/>
<running_process pid="1904" filename="C:\WINDOWS\system32\ctfmon.exe"/>
<running_process pid="1988" filename="C:\WINDOWS\system32\rundll32.exe" cmdline_parameters="fldrclnr.dll,Wizard_RunDLL"/>
<running_process pid="2612" filename="c:\PostalGusanito.exe"/>
<running_process pid="2772" filename="c:\PostalGusanito.exe"/>
</running_processes>
</analysis>
