DeepScan.Generic.Malware.PTk.B2E6ED99_92ba7a6ffb

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The DeepScan creates the following process(es):

taskkill.exe:188
taskkill.exe:1368
taskkill.exe:1376
sc.exe:1500
rundll32.exe:492
cacls.exe:1028

The DeepScan injects its code into the following process(es):

%original file name%.exe:580

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process rundll32.exe:492 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process %original file name%.exe:580 makes changes in the file system.

The DeepScan creates and/or writes to the following file(s):

C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (12169462 bytes)
%WinDir% (384 bytes)
C:\ (4 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (1281 bytes)
C:\$Directory (4 bytes)
%System%\config (104 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\drivers (96 bytes)
%System% (744 bytes)

Registry activity

The process taskkill.exe:188 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 58 FD 22 CB 6E 36 15 12 5C 48 0B 6B 2C 18 C0"

The process taskkill.exe:1368 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 95 7B 00 07 E1 2E B2 06 F3 52 BB D1 AE 48 F5"

The process taskkill.exe:1376 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 A6 E2 CB AA 5C 0A 51 A4 3F 91 3A 4A FC DF DB"

The process sc.exe:1500 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 88 1A A9 31 BF 59 51 8F FE 69 81 45 B8 3A 56"

The process rundll32.exe:492 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 13 19 BE 46 A9 93 D2 E3 FC 62 09 A1 75 92 55"

The process cacls.exe:1028 makes changes in the system registry.

The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 1D 98 88 15 B6 3B 40 D2 86 87 B1 5C 06 33 5D"

Dropped PE files

MD5	File path
47ce67ae447dba7ca7349f53812e9f89	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
8e6fb4575c611d4bd5675319da81b786	c:\WINDOWS\s265006334.dll
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
47ce67ae447dba7ca7349f53812e9f89	c:\WINDOWS\system32\drivers\OLD3.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
3e3b8a35aefc6e462746d6689348fa7e	c:\WINDOWS\system32\m1846741.dll

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   taskkill.exe:188
   taskkill.exe:1368
   taskkill.exe:1376
   sc.exe:1500
   rundll32.exe:492
   cacls.exe:1028

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:

   %System%\drivers\acpiec.sys (14 bytes)
   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\m1846741.dll (12169462 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\s265006334.dll (35485887 bytes)
   C:\1.exe (1281 bytes)
   C:\$Directory (4 bytes)
   %System%\config (104 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Sherry.ai Software
Product Name: Sherry.ai(R) Windows(R)
Product Version: 1.0.0.1
Legal Copyright: (C) Sherry.ai. All rights reserved.
Legal Trademarks:
Original Filename: Svchost.EXE
Internal Name: CALC
File Version: 1.0.0.1
File Description:
Comments:
Language: Language Neutral

Company Name: Sherry.ai SoftwareProduct Name: Sherry.ai(R) Windows(R)Product Version: 1.0.0.1Legal Copyright: (C) Sherry.ai. All rights reserved.Legal Trademarks: Original Filename: Svchost.EXEInternal Name: CALCFile Version: 1.0.0.1File Description: Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1488	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	8192	726	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	12288	1145	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	16384	262144	161280	4.26571	f2994eb6bec58869f42a0b1e00a60207
.vmp0	278528	27696	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	307200	83385	83456	5.47117	48809a8c3e23f5c055edaca80f30b526
.reloc	393216	92	512	0.753009	e000199eeb0430684b8358569cf52f0c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The DeepScan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_580:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.vmp0

@.vmp0

`.vmp1

`.vmp1

.reloc

.reloc

%s\s%d%d.dll

%s\s%d%d.dll

rundll32.exe %s, droqp

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

explorer.exe

explorer.exe

windows

windows

webtrap

webtrap

WEBSCANX

WEBSCANX

WEBSCAN

WEBSCAN

smtpsvc

smtpsvc

safeweb

safeweb

Kabackreport

Kabackreport

[ffi][nil:>:,::mn^::K

[ffi][nil:>:,::mn^::K

,1(*(*(

,1(*(*(

,1(*(*(,

,1(*(*(,

,1(*(*(-

,1(*(*(-

,1(*(*(*

,1(*(*(*

, ( .( * (02

, ( .( * (02

,1( ( (

,1( ( (

,1(*( (

,1(*( (

0 ( ,2( 1 ( /42*2*

0 ( ,2( 1 ( /42*2*

, ( (3*(13

, ( (3*(13

,/(3*(22(-2

,/(3*(22(-2

,*.( 11(3,(02

,*.( 11(3,(02

, *(1.( ./(,-0

, *(1.( ./(,-0

, *(10(*( --

, *(10(*( --

, 3( ,3(,-3(,,*

, 3( ,3(,-3(,,*

0 ( 00(-,(,

0 ( 00(-,(,

, 3( /-(.*(,,

, 3( /-(.*(,,

, 2(3,( 20(,1

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

, 3( /-(/,( ,-

,, ( 3/(.,(1

,, ( 3/(.,(1

,,,(1-(, 2( /

,,,(1-(, 2( /

,*-( *( 02(,--42*

,*-( *( 02(,--42*

,*-( *( 02(,, 42*

,*-( *( 02(,, 42*

/3(-.( - (/.

/3(-.( - (/.

, *(/ (./(/

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(22

/3(-.( 32(31

/3(-.( 32(31

0*( 3*( .( *

0*( 3*( .( *

0*( 3*(, 2(-.

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0*( 3 ( ,.(,/,

0 ( ./( 1(, ,

0 ( ./( 1(, ,

0 ( /1( *3(,,,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 1

1/( ,0(-(, 2

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,,*

1/( ,0(-(,,

1/( ,0(-(,,

1/( ,0(-(,,,

1/( ,0(-(,,,

3-3?3\3{3

3-3?3\3{3

/!/-/6/`0~0

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

F;.VF

F;.VF

7O6%F

7O6%F

!pJ%C

!pJ%C

.zx\)

.zx\)

LR(.Xu

LR(.Xu

d;.UP

d;.UP

jn/%c

jn/%c

WinExec

WinExec

user32.dll

user32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

KERNEL32.DLL

KERNEL32.DLL

GetWindowsDirectoryA

GetWindowsDirectoryA

Sherry.ai Software

Sherry.ai Software

1.0.0.1

1.0.0.1

(C) Sherry.ai. All rights reserved.

(C) Sherry.ai. All rights reserved.

Svchost.EXE

Svchost.EXE

Sherry.ai(R) Windows(R)

Sherry.ai(R) Windows(R)

%original file name%.exe_580_rwx_10000000_00001000:

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

psapi.dll

psapi.dll

\patch.exe

\patch.exe

\dstdisk.exe

\dstdisk.exe

\defence.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\\.\pcidump

\drivers\gm.dls

\drivers\gm.dls

%s%d.txt

%s%d.txt

>>tmp.tmp

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@echo q>>tmp.tmp

@debugnul

@debugnul

@rename tmp2 tmp2.exe

@rename tmp2 tmp2.exe

tmp2.exe

tmp2.exe

Windows

Windows

1.exe

1.exe

autorun.inf

autorun.inf

Open=1.exe

Open=1.exe

urlmon

urlmon

\setup.exe

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

?mac=%s&ver=%s&key=%d&os=windows

.html

.html

.hhqg

.hhqg

qq.exe

qq.exe

360safe.exe

360safe.exe

\explorer.exe

\explorer.exe

\temp\explorer.exe

\temp\explorer.exe

nfect_exe

nfect_exe

\pipe\browser

\pipe\browser

\\%s\IPC$

\\%s\IPC$

Bd

Bd

%original file name%.exe_580_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

ers\gm.dls

WinExec

WinExec

CreatePipe

CreatePipe

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll

rundll32.exe_492:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s