Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
23/11/2020, 10:42
201123-snhph417fe 1010/11/2020, 12:08
201110-s1senzaeea 1005/11/2020, 16:42
201105-y9hantbmge 8Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23/11/2020, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
Resource
win10v20201028
General
-
Target
3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe
-
Size
583KB
-
MD5
74d4e0e6dcf5cc7942c35e630036af0c
-
SHA1
c7c4bb3907344aed022d181eb73f8fd812e06f88
-
SHA256
3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901
-
SHA512
110bb901dacc153fb484673fd033d2c0f9a3f7cbfd73a46f54c44c1f699796844b68db5a860cbbb5be08c03f4ad9dfcd25feb71fc8a9b37445e137a002e6a8eb
Malware Config
Signatures
-
Detected Xorist Ransomware 4 IoCs
resource yara_rule behavioral2/files/0x000200000001ab71-6.dat family_xorist behavioral2/files/0x000200000001ab72-11.dat family_xorist behavioral2/files/0x000200000001ab71-10.dat family_xorist behavioral2/files/0x000200000001ab72-8.dat family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Executes dropped EXE 3 IoCs
pid Process 3912 javas.exe 3856 javas2.exe 3596 asat2.exe -
resource yara_rule behavioral2/files/0x0008000000000687-4.dat upx behavioral2/files/0x000200000001ab71-6.dat upx behavioral2/files/0x0008000000000687-9.dat upx behavioral2/files/0x000200000001ab72-11.dat upx behavioral2/files/0x000200000001ab71-10.dat upx behavioral2/files/0x000200000001ab72-8.dat upx -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe" javas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe" javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe" asat2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run javas2.exe -
Drops desktop.ini file(s) 9 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini javas2.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini javas2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini javas.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini asat2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini javas2.exe File opened for modification C:\Program Files\desktop.ini asat2.exe File opened for modification C:\Program Files\desktop.ini javas.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini asat2.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini javas.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\HOW TO DECRYPT FILES.txt javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\tr.pak javas.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font_t2k.dll asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms javas.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms javas2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms javas2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\HOW TO DECRYPT FILES.txt javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.dll javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar asat2.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.exe.sig javas2.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoDev.png asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar javas.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\HOW TO DECRYPT FILES.txt javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar asat2.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\GRAY.pf javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms javas2.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\bn.pak javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml javas.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms javas.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP asat2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar javas2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar javas2.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\prism_common.dll javas.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.pethya zaplat zasifrovano asat2.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms javas2.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar javas2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms javas.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll javas.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf asat2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll asat2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano javas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\ = "CRYPTED!" javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano asat2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open asat2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\ = "CRYPTED!" asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "PJVOKWEVLGZLZWN" javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon javas2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe" asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\ = "CRYPTED!" javas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe,0" javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon asat2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell\open\command asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe,0" javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\DefaultIcon javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell javas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34kNWi9RL6j2fe9.exe" javas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "YYCMXMJNMOUGWFB" javas2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PJVOKWEVLGZLZWN\shell\open\command javas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano javas2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pethya zaplat zasifrovano\ = "QTWVCXAHKDHGIML" asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8wph9ejU2DmPc9F.exe,0" asat2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QTWVCXAHKDHGIML\shell asat2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YYCMXMJNMOUGWFB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6R50fCWES1x3c1.exe" javas2.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3116 PING.EXE 4028 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3324 wrote to memory of 3912 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 74 PID 3324 wrote to memory of 3912 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 74 PID 3324 wrote to memory of 3912 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 74 PID 3324 wrote to memory of 3856 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 76 PID 3324 wrote to memory of 3856 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 76 PID 3324 wrote to memory of 3856 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 76 PID 3324 wrote to memory of 3596 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 77 PID 3324 wrote to memory of 3596 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 77 PID 3324 wrote to memory of 3596 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 77 PID 3324 wrote to memory of 3320 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 78 PID 3324 wrote to memory of 3320 3324 3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe 78 PID 3320 wrote to memory of 3116 3320 cmd.exe 80 PID 3320 wrote to memory of 3116 3320 cmd.exe 80 PID 3320 wrote to memory of 4028 3320 cmd.exe 81 PID 3320 wrote to memory of 4028 3320 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\javas.exe"C:\Users\Admin\AppData\Local\Temp\javas.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:3912
-
-
C:\Users\Admin\AppData\Local\Temp\javas2.exe"C:\Users\Admin\AppData\Local\Temp\javas2.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\asat2.exe"C:\Users\Admin\AppData\Local\Temp\asat2.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:3596
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e275093a5ad4b2083eda47dfd2e9053cae044f7990a323c6f649093a8d00901.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- Runs ping.exe
PID:3116
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- Runs ping.exe
PID:4028
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1284