gh0strat | 14e9f6b17758c84db9a2cc42f99ee091de58922a796c343cff0f5ed3d3cd8835

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35212d6256a04fc5e0ece3985f15396b.exe
Size

150KB
MD5

35212d6256a04fc5e0ece3985f15396b
SHA1

cec766f69d2bbfa0260c7ad3ddb2ac131f193e8e
SHA256

14e9f6b17758c84db9a2cc42f99ee091de58922a796c343cff0f5ed3d3cd8835
SHA512

19be7faa18081be4c44050a54d26ea662dae8220f0ab093a5dd659ba4ccab37ff57a221155bb7ab3a841d23ef5859b67ebbfda497d620565dd9eff8bc7347f93
SSDEEP

3072:/VhUTNt0TSmLGkhjKXFvIGk6H0ydpZTr5iSTNL9cEVz3CiODcRwZV:dkt0TSZkhWVvI+UupZTr5iSVrLmck

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2032-17-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
536	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	ind87D5.tmp
2612	inlD55B.tmp

Loads dropped DLL 3 IoCs

pid	Process
1340	35212d6256a04fc5e0ece3985f15396b.exe
2572	cmd.exe
2572	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\loader.dll	ind87D5.tmp
File created	C:\Program Files\Common Files\lanmao.dll	ind87D5.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76dc3b.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIF132.tmp	msiexec.exe
File created	C:\Windows\Installer\f76dc3e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76dc40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76dc3e.ipi	msiexec.exe
File created	C:\WINDOWS\vbcfg.ini	ind87D5.tmp
File created	C:\Windows\Installer\f76dc3b.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1340	35212d6256a04fc5e0ece3985f15396b.exe
2648	msiexec.exe
2648	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeIncBasePriorityPrivilege	1340	35212d6256a04fc5e0ece3985f15396b.exe
Token: SeCreateTokenPrivilege	2788	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2788	msiexec.exe
Token: SeLockMemoryPrivilege	2788	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2788	msiexec.exe
Token: SeMachineAccountPrivilege	2788	msiexec.exe
Token: SeTcbPrivilege	2788	msiexec.exe
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeLoadDriverPrivilege	2788	msiexec.exe
Token: SeSystemProfilePrivilege	2788	msiexec.exe
Token: SeSystemtimePrivilege	2788	msiexec.exe
Token: SeProfSingleProcessPrivilege	2788	msiexec.exe
Token: SeIncBasePriorityPrivilege	2788	msiexec.exe
Token: SeCreatePagefilePrivilege	2788	msiexec.exe
Token: SeCreatePermanentPrivilege	2788	msiexec.exe
Token: SeBackupPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeShutdownPrivilege	2788	msiexec.exe
Token: SeDebugPrivilege	2788	msiexec.exe
Token: SeAuditPrivilege	2788	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2788	msiexec.exe
Token: SeChangeNotifyPrivilege	2788	msiexec.exe
Token: SeRemoteShutdownPrivilege	2788	msiexec.exe
Token: SeUndockPrivilege	2788	msiexec.exe
Token: SeSyncAgentPrivilege	2788	msiexec.exe
Token: SeEnableDelegationPrivilege	2788	msiexec.exe
Token: SeManageVolumePrivilege	2788	msiexec.exe
Token: SeImpersonatePrivilege	2788	msiexec.exe
Token: SeCreateGlobalPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2032	1340	35212d6256a04fc5e0ece3985f15396b.exe	28
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2788	1340	35212d6256a04fc5e0ece3985f15396b.exe	29
PID 1340 wrote to memory of 2572	1340	35212d6256a04fc5e0ece3985f15396b.exe	31
PID 1340 wrote to memory of 2572	1340	35212d6256a04fc5e0ece3985f15396b.exe	31
PID 1340 wrote to memory of 2572	1340	35212d6256a04fc5e0ece3985f15396b.exe	31
PID 1340 wrote to memory of 2572	1340	35212d6256a04fc5e0ece3985f15396b.exe	31
PID 1340 wrote to memory of 2344	1340	35212d6256a04fc5e0ece3985f15396b.exe	35
PID 1340 wrote to memory of 2344	1340	35212d6256a04fc5e0ece3985f15396b.exe	35
PID 1340 wrote to memory of 2344	1340	35212d6256a04fc5e0ece3985f15396b.exe	35
PID 1340 wrote to memory of 2344	1340	35212d6256a04fc5e0ece3985f15396b.exe	35
PID 1340 wrote to memory of 536	1340	35212d6256a04fc5e0ece3985f15396b.exe	33
PID 1340 wrote to memory of 536	1340	35212d6256a04fc5e0ece3985f15396b.exe	33
PID 1340 wrote to memory of 536	1340	35212d6256a04fc5e0ece3985f15396b.exe	33
PID 1340 wrote to memory of 536	1340	35212d6256a04fc5e0ece3985f15396b.exe	33
PID 2344 wrote to memory of 344	2344	cmd.exe	37
PID 2344 wrote to memory of 344	2344	cmd.exe	37
PID 2344 wrote to memory of 344	2344	cmd.exe	37
PID 2344 wrote to memory of 344	2344	cmd.exe	37
PID 2572 wrote to memory of 2612	2572	cmd.exe	40
PID 2572 wrote to memory of 2612	2572	cmd.exe	40
PID 2572 wrote to memory of 2612	2572	cmd.exe	40
PID 2572 wrote to memory of 2612	2572	cmd.exe	40
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2648 wrote to memory of 2008	2648	msiexec.exe	41
PID 2612 wrote to memory of 2272	2612	inlD55B.tmp	44
PID 2612 wrote to memory of 2272	2612	inlD55B.tmp	44
PID 2612 wrote to memory of 2272	2612	inlD55B.tmp	44
PID 2612 wrote to memory of 2272	2612	inlD55B.tmp	44

C:\Users\Admin\AppData\Local\Temp\35212d6256a04fc5e0ece3985f15396b.exe
"C:\Users\Admin\AppData\Local\Temp\35212d6256a04fc5e0ece3985f15396b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\ind87D5.tmp
  C:\Users\Admin\AppData\Local\Temp\ind87D5.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2032
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSCC8~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\inlD55B.tmp
    C:\Users\Admin\AppData\Local\Temp\inlD55B.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD55B.tmp > nul
      4⤵
      PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\35212D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA532A46343B7F56E4DDEFC5DC0A7B2
  2⤵
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76dc3f.rbs

Filesize
7KB

MD5
af83f0187e5c475369a01f0573698fd4

SHA1
957acc23eb105d5b62268f3f8151a1eec68ec0a0

SHA256
0a2ce72a122ec0910ae992691d594551ad3be25805a2fdbaeb61cdea9b49ca59

SHA512
7dfab21812e0effe6393f9bdec0f058751dfedeb24ddd97793a2c8f9e3f1f08b1e6d1f1de71d2583aa319c0f92bbd2f31da7dba77e91786ff465087e8e363a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSCC8~1.INI

Filesize
66KB

MD5
be5f856b3b3a6e6c246e88d390b7a1b4

SHA1
fdc41f583c0aadfe62054ad4e8de51706d14b2de

SHA256
2528712d2144f3f42c3075836d4332bce57c2a0259e3055cd17fb54d67eeeefb

SHA512
17c8d75114a8d771642726eeb808ee8956dca8e4cba0aa42a1a9092bb24bf8c82876abcc923a4b30c1f490a874a0cd43d882e7e0895ab4ffa008eff217739018

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
765B

MD5
a4a4219ce5fdbaf2864b04ca4e453ac9

SHA1
98bf1383e8b2f4db0388ee139ae7fe06ff7a67a9

SHA256
7ce64a6d79d1772713cf59d6575aec39f9fa00690d4c84cd2f160081b0d412c6

SHA512
22f5668719a58a4c1692ceb8aae48af9d5a53527d96431410587fa1f3f67ec9b5f0660c87fa9d931343e1be9b0f56f03c3fcd431cc2d67b104450b2ef792baa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ind87D5.tmp

Filesize
327.1MB

MD5
15c6ab084143faf4123f258568a7b71b

SHA1
2c231c505cd24879c06d7747d7ed3602072274c7

SHA256
85b031c481d44eae7d41d2f633c5f8459e7a994e425b42d12782750bd748e616

SHA512
df73a41fa8a46ffba6961ba971c5c2bdd159c0f217ef4b781cf951b8b07b731ee6f2e80905704f42859f977d866018f277cb2cd39de7d280f89047789ab6b06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
24739fc860c3ab066dc62b81a0e69311

SHA1
afad6b976131fc88a8e9198d37d4c10cb6698c6d

SHA256
8679877c0df2103ac41832d89f70f7d3b0c4dcdda95c2e89adbecdf9f960cea1

SHA512
06d913845f2b7d0db9a0fa597f636905541519b437395e5cd7f4301f721f7a6bb0803aa3ce6834ee747f20f62b96d8db3ff487bb94e1cce0bd428b596cd86ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\Users\Admin\AppData\Local\Temp\ind87D5.tmp

Filesize
128.0MB

MD5
b5f8e080a357c1b257468aac09494898

SHA1
2ed2dfd708762a23c8acad6978337425a2bfacbc

SHA256
e407a62ed8b30bb19c0e93dede7c2ad63e692e3f41150b7877a02fffcf0d2b13

SHA512
2587e82d928c2ce1af24c6926d224e3308277ef7d9cdfeed1ae64c7a8874ad419661488347bfe35bb41e436f9d976b73963ff16941a2cb32a9925b37e868a4d9

Download Submit
\Users\Admin\AppData\Local\Temp\inlD55B.tmp

Filesize
122.8MB

MD5
bdc04f2077b1aec93822a4493cbe430c

SHA1
6a090a49cd0349c30ca1998a094e2a9d73305585

SHA256
3668a7cf62866cf25f1eae1c92ed1d7d66f10f970cf2a99b2ab0e0e1d5ad5253

SHA512
7d1bc52a25899556138cb03c9bad3595c8679ca409f8744b642591a5a1c7614bf40d08a063bd390024dcb7eb8ad67022d53fc2432b14bcba65273ab825c47047

Download Submit
memory/1340-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-8-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1340-2-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1340-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-46-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/1340-20-0x00000000045C0000-0x00000000045D0000-memory.dmp

Filesize
64KB

Download
memory/1340-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-12-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2032-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2612-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download