bdaejec | e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
Size

68KB
MD5

02b3757b29002a8fcabd9afaebf1f7d3
SHA1

cecffd787a418e435a9019211dda54444c2184fd
SHA256

e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064
SHA512

fa7312829ddb66c4e3dba341eb45b2625c45060cfb2265a53ddb54595dd28d9245959eee6065b50e58d1908660732785a0430ae9345455d4bbcefd52fc5b015a
SSDEEP

1536:sb1MsHz3JDwhyWr+N95OTga6S+PGCq2iW7z:XsT3JezcMCSkGCH

Score

10^/10

bdaejec runningrat aspackv2 backdoor discovery persistence rat

Malware Config

Extracted

Family

runningrat

119.91.152.151

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral2/memory/2708-54-0x0000000000810000-0x0000000000819000-memory.dmp	family_bdaejec_backdoor

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

RunningRat payload 1 IoCs

resource	yara_rule
behavioral2/memory/1536-0-0x0000000000400000-0x0000000000411000-memory.dmp	family_runningrat

Runningrat family
runningrat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SySyeu\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240614390.dll"	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023b14-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	XekSuT.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	XekSuT.exe
4232	SySyeu.exe

Loads dropped DLL 3 IoCs

pid	Process
1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
5020	svchost.exe
4232	SySyeu.exe

Creates a Windows Service
persistence

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SySyeu.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SySyeu.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	XekSuT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	XekSuT.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	XekSuT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	XekSuT.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	XekSuT.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	XekSuT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	XekSuT.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	XekSuT.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	XekSuT.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	XekSuT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	XekSuT.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	XekSuT.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	XekSuT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	XekSuT.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	XekSuT.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	XekSuT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SySyeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XekSuT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3484	cmd.exe
2000	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2000	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2708	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	84
PID 1536 wrote to memory of 2708	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	84
PID 1536 wrote to memory of 2708	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	84
PID 1536 wrote to memory of 3484	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	87
PID 1536 wrote to memory of 3484	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	87
PID 1536 wrote to memory of 3484	1536	e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe	87
PID 3484 wrote to memory of 2000	3484	cmd.exe	89
PID 3484 wrote to memory of 2000	3484	cmd.exe	89
PID 3484 wrote to memory of 2000	3484	cmd.exe	89
PID 2708 wrote to memory of 3868	2708	XekSuT.exe	93
PID 2708 wrote to memory of 3868	2708	XekSuT.exe	93
PID 2708 wrote to memory of 3868	2708	XekSuT.exe	93
PID 5020 wrote to memory of 4232	5020	svchost.exe	99
PID 5020 wrote to memory of 4232	5020	svchost.exe	99
PID 5020 wrote to memory of 4232	5020	svchost.exe	99

C:\Users\Admin\AppData\Local\Temp\e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe
"C:\Users\Admin\AppData\Local\Temp\e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\XekSuT.exe
  C:\Users\Admin\AppData\Local\Temp\XekSuT.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40d8053a.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\e909609bcd7d6a217635b372abba6e55d034d2e55712b032844ce28ded020064.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
1⤵
PID:2360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SySyeu"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\SySyeu.exe
  C:\Windows\system32\SySyeu.exe "c:\users\admin\appdata\local\temp\240614390.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A4F4F44.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\240614390.dll

Filesize
25KB

MD5
db598538e7a70b73298f6424ae507e02

SHA1
d06a04fb9ca1bb8da5974870196ae5c0eadc1fa9

SHA256
cc4ab82995b0c0c827e99870948ef6a1371d4d1ed6d167a087c0d5c123d0f15e

SHA512
ebedb94e2ba77836317596557fb447e6abc78fecfafce8de900d70202994fe829459665e0dec8813c51039b64a12d08258bc6074324b729994b61e8467f5e3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\40d8053a.bat

Filesize
187B

MD5
676c45ccef6755c07fc84805b058e1ea

SHA1
c516220ef523f21e5a1036ee6fe707e3ed5c45e5

SHA256
ddf1da26aadf3bcc0a19a7b7b490e3030024432ee12652b0deed48de96ce06f0

SHA512
cc491c54017789aba69a999f5a1f6c2b0385a8d01da42550adc0431e497d0999fe969d0d1d0049f3f2bfab577e006ed332d74324e0e1b0fdcc1f904ebe04da91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XekSuT.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Windows\SysWOW64\SySyeu.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1536-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2708-4-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/2708-54-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download