HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.123691 (B) (Emsisoft), Gen:Variant.Kazy.123691 (AdAware), Backdoor.Win32.Farfli.FD, Backdoor.Win32.PcClient.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 07d4c1b98e1a92c11c10817311b178e4
SHA1: fe72d7488f1bf8ad3ca0c1fbbdfe623c209b6fdd
SHA256: 2b24d927004d00c8c21046b1f3584a2e03268357e16425213d341f1418c78fc4
SSDeep: 6144:mLuvICadCpSc3vYlyV09Z8AUiXoxeksYePsuzflRQG:lwyxAs093lC/ekuzN2
Size: 327680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-01 08:28:31
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
07d4c1b98e1a92c:420
%original file name%.exe:668
The Backdoor injects its code into the following process(es):
rundll32.exe:156
svchost.exe:2004
iexplore.exe:1560
File activity
The process 07d4c1b98e1a92c:420 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (1425 bytes)
%System%\drivers\etc\hosts (421 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sbaD.tmp (11010 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg (1 bytes)
%System%\2622.jpg.exe (4 bytes)
%WinDir%\systm32\win32.exe (1425 bytes)
%System%\2622.jpg (48 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
Registry activity
The process 07d4c1b98e1a92c:420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 93 C9 20 64 ED DF 36 AA 85 9B AF 2B F2 6F B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
The process rundll32.exe:156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 B0 AC 9D 11 5F 39 87 4B 0F F7 A1 12 F3 28 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:668 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 54 92 4F C6 C0 DE 65 80 C1 9C 8C A2 70 D0 E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%WinDir%\systm32\win32.exe restart"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\BYQHfSQ]
"InstalledServer" = "%WinDir%\systm32\win32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\BYQHfSQ]
"ServerStarted" = "6/3/2014 6:42:04 AM"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\systm32\win32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\systm32\win32.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 421 bytes in size. The following strings are added to the hosts file listed below:
virscan.org | |
virustotal.com | |
virusscan.jotti.org | |
vscan.novirusthanks.org | |
free.avg.com | |
avg.com | |
norton.com | |
www.norton.com | |
avast.com | |
trendmicro.com | |
pctools.com | |
kaskersky.com | |
www.kaspersky.com | |
bullguard.com | |
secunia.com | |
community.norton.com | |
av-comparatives.org | |
computerhope.com | |
nl.clamwin.com | |
clamwin.com | |
mac-forums.com | |
mcafee.com | |
barracudanetworks.com | |
stopzilla.com | |
free-av.com | |
symantec.com | |
eset.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
07d4c1b98e1a92c:420
%original file name%.exe:668 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (1425 bytes)
%System%\drivers\etc\hosts (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sbaD.tmp (11010 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg (1 bytes)
%System%\2622.jpg.exe (4 bytes)
%WinDir%\systm32\win32.exe (1425 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\systm32\win32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\systm32\win32.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: n0XGm
Product Name: k2K0Q
Product Version: 19.47.59.57
Legal Copyright: Xr8x6Q
Legal Trademarks: Tb1r9P0Yc
Original Filename: ghsav5ud.exe
Internal Name: ghsav5ud.exe
File Version: 19.47.59.57
File Description: o3MDx04Zeq
Comments: Kx04Xyc6L
Language: English (United States)
Company Name: n0XGmProduct Name: k2K0QProduct Version: 19.47.59.57Legal Copyright: Xr8x6QLegal Trademarks: Tb1r9P0YcOriginal Filename: ghsav5ud.exeInternal Name: ghsav5ud.exeFile Version: 19.47.59.57File Description: o3MDx04ZeqComments: Kx04Xyc6LLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 307012 | 307200 | 5.46147 | e3edae100ef730eda0852469afd3e80b |
.sdata | 319488 | 96 | 4096 | 0.162117 | f2df2b0ba215850192fd9cc184818887 |
.rsrc | 327680 | 4336 | 8192 | 2.79933 | 6bba534125c46f442cf5ea9a3e481390 |
.reloc | 335872 | 12 | 4096 | 0.011373 | 62a84c5aca5939b661aede704d482b9c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_2004:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_2004_rwx_00C80000_0001F000:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
P.xur
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
789:;<&'()* ,-./12345
789:;<&'()* ,-./12345
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
kernel32.dll
kernel32.dll
GetProcessHeap
GetProcessHeap
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SHDeleteKeyW
SHDeleteKeyW
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
URLDownloadToFileW
URLDownloadToFileW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
PSAPI.dll
PSAPI.dll
ntdll.dll
ntdll.dll
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
4/4.565>5
4/4.565>5
55^516;6E6O6Y6
55^516;6E6O6Y6
KWindows
KWindows
UnitKeylogger
UnitKeylogger
=zy%X
=zy%X
nBÞ
nBÞ
:U.Xf
:U.Xf
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
x.html
x.html
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
l.xtr
l.xtr
http://
http://
.functions
.functions
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
explorer.exe
explorer.exe
pepe12.no-ip.biz
pepe12.no-ip.biz
win32.exe
win32.exe
{5460C4DF-B266-909E-CB58-E32B79832EB2}
{5460C4DF-B266-909E-CB58-E32B79832EB2}
ftp.ftpserver.com
ftp.ftpserver.com
r FTP
r FTP
ftpuser
ftpuser
Hftppass
Hftppass
%WinDir%\systm32\win32.exe
%WinDir%\systm32\win32.exe
%WinDir%\systm32\
%WinDir%\systm32\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg
Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
iexplore.exe_1560:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.Fg
IIIIIB(II<.Fg
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_1560_rwx_00C80000_0001F000:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
P.xur
P.xur
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
789:;<&'()* ,-./12345
789:;<&'()* ,-./12345
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
kernel32.dll
kernel32.dll
GetProcessHeap
GetProcessHeap
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SHDeleteKeyW
SHDeleteKeyW
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
URLDownloadToFileW
URLDownloadToFileW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
PSAPI.dll
PSAPI.dll
ntdll.dll
ntdll.dll
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
4/4.565>5
4/4.565>5
55^516;6E6O6Y6
55^516;6E6O6Y6
KWindows
KWindows
UnitKeylogger
UnitKeylogger
=zy%X
=zy%X
nBÞ
nBÞ
:U.Xf
:U.Xf
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
x.html
x.html
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
l.xtr
l.xtr
http://
http://
.functions
.functions
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
explorer.exe
explorer.exe
pepe12.no-ip.biz
pepe12.no-ip.biz
win32.exe
win32.exe
{5460C4DF-B266-909E-CB58-E32B79832EB2}
{5460C4DF-B266-909E-CB58-E32B79832EB2}
ftp.ftpserver.com
ftp.ftpserver.com
r FTP
r FTP
ftpuser
ftpuser
Hftppass
Hftppass
%WinDir%\systm32\win32.exe
%WinDir%\systm32\win32.exe
%WinDir%\systm32\
%WinDir%\systm32\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg
Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}
rundll32.exe_156:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s