File name:

_aa913765e7243b4c67b9d9953ceae4914696dbc59a2cfe49157a6ed2b64b05c3.txt

Full analysis: https://app.any.run/tasks/e11b8d54-0f16-4a3f-9627-2e962f5c551b
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 28, 2026, 13:06:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
stealer
confuser
formbook
xloader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (8192), with no line terminators
MD5:

59EE283B9D0E2A86895FA04EBE496A1C

SHA1:

3B8EDEE688AEF48BAF02BD927C26D20FA441563E

SHA256:

AA913765E7243B4C67B9D9953CEAE4914696DBC59A2CFE49157A6ED2B64B05C3

SSDEEP:

49152:J6/pQ8/pF5Bj0zOUwe8wsI/vR0kH7oTC/0/7sR+0atv7CGLkHsf:w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • powershell.exe (PID: 484)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 7724)

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 7724)

    • Checks whether a specified folder exists (SCRIPT)

      • wscript.exe (PID: 7724)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 9104)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 7724)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7724)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Actions looks like stealing of personal data

      • sethc.exe (PID: 7760)

    • FORMBOOK has been detected (SURICATA)

      • wscript.exe (PID: 7724)

    • FORMBOOK has been detected (YARA)

      • sethc.exe (PID: 7760)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7724)

  • SUSPICIOUS

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 7724)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7724)

    • The process executes JS scripts

      • wscript.exe (PID: 7724)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7724)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 7724)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 7724)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7724)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7724)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9104)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7724)

    • The process executes Powershell scripts

      • powershell.exe (PID: 9104)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7724)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7724)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 7724)

    • Uses TASKKILL.EXE to kill process

      • wscript.exe (PID: 7724)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 7724)

  • INFO

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • wscript.exe (PID: 7724)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 9104)

    • Checks supported languages

      • aspnet_compiler.exe (PID: 9144)
      • aspnet_compiler.exe (PID: 920)
      • aspnet_compiler.exe (PID: 3016)
      • aspnet_compiler.exe (PID: 8248)
      • aspnet_compiler.exe (PID: 2612)
      • aspnet_compiler.exe (PID: 7808)
      • aspnet_compiler.exe (PID: 7556)

    • Confuser has been detected (YARA)

      • powershell.exe (PID: 9104)

    • Reads security settings of Internet Explorer

      • sethc.exe (PID: 7760)

    • Create files in a temporary directory

      • sethc.exe (PID: 7760)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 9104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
23
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FORMBOOK wscript.exe powershell.exe no specs conhost.exe no specs slui.exe aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs #FORMBOOK sethc.exe aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs firefox.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs aspnet_compiler.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
484powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "& { $ErrorActionPreference = 'Stop'; $src = [Environment]::ExpandEnvironmentVariables('C:\Users\admin\Desktop\_aa913765e7243b4c67b9d9953ceae4914696dbc59a2cfe49157a6ed2b64b05c3.txt'); $dst = [Environment]::ExpandEnvironmentVariables('C:\Users\admin\Desktop\_aa913765e7243b4c67b9d9953ceae4914696dbc59a2cfe49157a6ed2b64b05c3.txt.js'); Move-Item -LiteralPath $src -Destination $dst -Force }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
920"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1676C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1980"C:\Windows\System32\taskkill.exe" /f /im wscript.exeC:\Windows\System32\taskkill.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2612"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2652"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3016"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7136\??\C:\WINDOWS\system32\conhost.exe 0x4C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7536"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exesethc.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
9 222
Read events
9 218
Write events
4
Delete events
0

Modification events

(PID) Process:(1676) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(7760) sethc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7760) sethc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7760) sethc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
484powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D74730A4124C424BB9BE228950E1103C
SHA256:D0F001F416F8C00D7D1A84D01F566E5A9E94E4B564C1933148463CAE5A41DBDD
484powershell.exeC:\Users\admin\Desktop\_aa913765e7243b4c67b9d9953ceae4914696dbc59a2cfe49157a6ed2b64b05c3.txt.jstext
MD5:59EE283B9D0E2A86895FA04EBE496A1C
SHA256:AA913765E7243B4C67B9D9953CEAE4914696DBC59A2CFE49157A6ED2B64B05C3
7724wscript.exeC:\Temp\ps_DMrjAuco50ze_1779973604981.ps1text
MD5:242BC93EC57798D34817CA84E1B8F76D
SHA256:CC5B479BBFDAEBCEFC9424AD08F66C8B84EA92D5E264E7D868B6695765F0B109
9104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kucax3sw.zlv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
9104powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bq3pzh5o.nrs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7760sethc.exeC:\Users\admin\AppData\Local\Temp\3452548binary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
79
TCP/UDP connections
53
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
48.209.6.48:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
1728
svchost.exe
GET
200
23.216.77.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1728
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
1728
svchost.exe
GET
200
48.209.6.48:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
20.190.160.5:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1728
svchost.exe
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.6.48:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7448
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
1728
svchost.exe
23.216.77.10:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
1728
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
9108
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.110.113
  • 142.251.110.101
  • 142.251.110.102
  • 142.251.110.139
  • 142.251.110.138
  • 142.251.110.100
whitelisted
crl.microsoft.com
  • 23.216.77.10
  • 23.216.77.14
  • 23.216.77.9
  • 23.216.77.11
  • 23.216.77.43
  • 23.216.77.36
  • 23.216.77.6
  • 23.216.77.4
  • 23.216.77.40
  • 23.53.41.90
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
settings-win.data.microsoft.com
  • 48.209.138.168
  • 48.209.6.48
  • 57.153.246.3
  • 48.209.133.15
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.130
  • 20.190.159.75
  • 20.190.159.128
  • 20.190.159.131
  • 20.190.159.68
  • 40.126.31.129
  • 40.126.31.130
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 74.179.77.164
whitelisted
www.375615.com
  • 122.10.71.253
unknown

Threats

PID
Process
Class
Message
7724
wscript.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_aa913765e7243b4c67b9d9953ceae4914696dbc59a2cfe49157a6ed2b64b05c3.txt