SOGe-banking_Instalacioni_paket.exe
This report is generated from a file or URL submitted to this webservice on November 21st 2017 00:27:43 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/68 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 416)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 416)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 416)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 416) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 11
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/63 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 416)
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9597.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "<Input Sample>" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSI9597.tmp" claimed CRC 167512 while the actual is CRC 57555
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
VirtualProtect
VirtualAlloc
UnhandledExceptionFilter
GetTempFileNameW
GetTempPathW
GetStartupInfoA
DeleteFileW
GetModuleHandleW
IsDebuggerPresent
TerminateProcess
CreateFileW
ShellExecuteW
ShellExecuteExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "2b457f75f99c7e7578eb7d7579897d7593977e75d3337f75a41d7f75d0d97e7511a67e755c397f7541cf7e75e19c7e750e457f75b62f7f7541237e7500bf7e7500000000473f6e7500000000ec22337699e5307600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"<Input Sample>" wrote bytes "08574d76047856760000000051c11d7794981d77ee9c1d7775dc1f77273e1f77efb223770000000046ce7e75013d7f7538ed7f75cfcd7e7531237e75de2f7f75c4ca7e7580bb7e75aa6e7f759fbb7e7592bb7e7546ba7e750abf7e7500000000" to virtual address "0x6DE41000" (part of module "SHFOLDER.DLL")
"<Input Sample>" wrote bytes "c2000000" to virtual address "0x1000404C" (part of module "SYSTEM.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\System.dll"
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\System.dll"
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\modern-header.bmp"
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\modern-wizard.bmp"
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\nsDialogs.dll"
"<Input Sample>" created file "%TEMP%\nsy6D21.tmp\nsDialogs.dll"
"<Input Sample>" created file "%TEMP%\SOGe-banking_Instalacioni_paket\IDGo500PKCS11Libraries.msi" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IDGo500PKCS11Libraries.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: IDGo 500 PKCS#11 Gold Library Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: IDGo 500 PKCS#11Gold Library setup Author: Gemalto Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield# 2011 - Premier Edition 17 Last Saved Time/Date: Mon Dec 17 09:27:03 2012 Create Time/Date: Mon Dec 17 09:27:03 2012 Last Printed: Mon Dec 17 09:27:03 2012 Revision Number: {EBF5B5B7-B6D5-4218-BD7F-8AD1D54AA7F1} Code page: 1252 Template: Intel;1033"), Antivirus vendors marked dropped file "MSI9597.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6C570000
"msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6C570000 - source
- Loaded Module
-
Scanning for window names
- details
- "<Input Sample>" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline """msiexec" /i "%TEMP%\SOGe-banking_Instalacioni_paket\IDGo500PKCS11Libraries.msi"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Dropped files
- details
-
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IDGo500PKCS11Libraries.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: IDGo 500 PKCS#11 Gold Library Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: IDGo 500 PKCS#11Gold Library setup Author: Gemalto Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield# 2011 - Premier Edition 17 Last Saved Time/Date: Mon Dec 17 09:27:03 2012 Create Time/Date: Mon Dec 17 09:27:03 2012 Last Printed: Mon Dec 17 09:27:03 2012 Revision Number: {EBF5B5B7-B6D5-4218-BD7F-8AD1D54AA7F1} Code page: 1252 Template: Intel;1033"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 164 x 314 x 4"
"MSI9597.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 150 x 57 x 24" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\System32\msiexec.exe"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "*cK#\=:*JE.AG"
Pattern match: "www.gemalto.comARPHELPLINKARPNOMODIFYARPNOREPAIRARPPRODUCTICON.exeARPPRODUCTICONARPURLINFOABOUT30DWUSINTERVALCEBCA7A87E9B4028EEACC7F8E9DC978F994BF08FFEBCD7D8CE7C30CF8E8B87D8992CB76FDEACDWUSLINKTahoma8DefaultUIFontInstallShield"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DU"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0U#0k&p?-50`HB0"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "chemas.microsoft.com/office/word/2003/wordml}{\xmlns2"
Pattern match: "www.netsolutions.gemalto.com"
Pattern match: "http://www.gemalto.com/}{\rtlch\fcs1"
Pattern match: "www.gemalto.com}}}\sectd"
Pattern match: "Js.Xqym/t0`CzIct?Z2R*uHTMR-^9ZgNz24M,+kse`Wn"
Pattern match: "W.MF/O?@,z+b%y3"
Pattern match: "A5Ym.Gs/~=FOk0cvnIx7"
Pattern match: "8gGpSOmK.TvIK/RU9CT5ua_g*,'?f"
Heuristic match: "H/vjR-Q(K]l}78~L?hO>2^\JwE+131C)P<K`B$>8A5'++J?^{P^Aml#>63XBSW6>)t>I>yYQyTi>G5CVZX.pK"
Pattern match: "6j.Ro/w*EVY=a8D5T;vv|!Q.D}x|"
Heuristic match: "bQ0/L_A|0$L'e=*H^dHVi0-tYBC\By40lnjkN~IS&%49cZ{L+,hle,o5}I$Z$1YR\b/.mQ"
Pattern match: "Ol.BR/CI7g7x"
Pattern match: "0vT.vu/[,Ik2`'|4ZbLce"
Heuristic match: ".Th^GbWy~cvy?T><s~>//o~.ps"
Heuristic match: "^$2D pv YfD@ckRn7)lvt8C0C5bCKe`pwK$HwUu4n A'!@ Ip'8 4xrA~lp>2:k/_^_:|_L_d$DnzHD4#O$-II=!<*HHH;ZHH[rH\kG!#_V=/zGEKHK|WO|-}q,cxx{|g<~/'+?:?_DH$=/*D2gg~]kg?66NU|wCbEfkek}:o??.lS"
Pattern match: "h.Ti/0LS43TPP00T"
Pattern match: "8ws.CBUX/qlQ\wODU:L8wOWWVI{,Kgay=i@VKVrkk#g~wj?TrWOGC&/z"
Heuristic match: "JNB;L)>(Q-= BbWxgZ'<{p/]|:sn;Qn~_~b5c.Rs"
Pattern match: "FFf.yKA/UDRjk1]i"
Heuristic match: "7M[*`#[,|a~Sy<z^XgF>Ow~>s2lrQ.5!f ;s-f4^P`g~bRSY.Sa"
Heuristic match: "Wu3^:t_>&t.~6j}Q<}VI(e|y:J$|5,<~Z>/??CK}xTEhq;`1j$N4.cn"
Pattern match: "rj.Por/+Z!:9_duST^#PYT=0!g"
Pattern match: "SQ.TwI/8YD8zP,{C=nZ"
Pattern match: "L.rL/z0L"
Pattern match: "5g.OI/_3P"
Pattern match: "b8yHo.ePr/[~H=NV{G|'zp"
Pattern match: "2wxXWaQlOKrl-4V.wl/k6E;y"
Pattern match: "8LuTa.Kx/\TlaS"
Pattern match: "0.KE/^PtM[k_Qszw%JSRHitE8INPNZtzPEPjFfeP;`sCb=*" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3.exe.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"MSI9597.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
SOGe-banking_Instalacioni_paket.exe
- Filename
- SOGe-banking_Instalacioni_paket.exe
- Size
- 4.6MiB (4793157 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3
- MD5
- f603b1cd1353e36cb6a5e30a271a685c
- SHA1
- b665d48a6bb4514ecd8bbdf2379fde5a64e267c4
- ssdeep
- 98304:ovoMQnE4Xyd2AaOU/kKso30Si2WyB7zMQmDFp/IxuVinSQ/NVP9h:F21dKO2kpEdzHmD/HVCF/7Fh
- imphash
- e160ef8e55bb9d162da4e266afd9eef3
- authentihash
- b4670d5a591df72915a4f41517543d136e2cfc954f97140da31fff851860725d
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
- PDB Pathway
Classification (TrID)
- 91.9% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 3.0% (.EXE) Win64 Executable (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.4% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3076)
2/68
- msiexec.exe ""msiexec" /i "%TEMP%\SOGe-banking_Instalacioni_paket\IDGo500PKCS11Libraries.msi" (PID: 4044)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 30525-63-00402C29 |
Extracted Strings
Extracted Files
-
Clean 4
-
-
MSI9597.tmp
- Size
- 123KiB (125832 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- msiexec.exe (PID: 4044)
- MD5
- 2c65cc2f1516e8eed2f01ee5efa60c93
- SHA1
- fa8ace92bdf6cb522357384b352389d08b0464de
- SHA256
- 1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca
-
IDGo500PKCS11Libraries.msi
- Size
- 2.3MiB (2380800 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: IDGo 500 PKCS#11 Gold Library, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: IDGo 500 PKCS#11Gold Library setup, Author: Gemalto, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield# 2011 - Premier Edition 17, Last Saved Time/Date: Mon Dec 17 09:27:03 2012, Create Time/Date: Mon Dec 17 09:27:03 2012, Last Printed: Mon Dec 17 09:27:03 2012, Revision Number: {EBF5B5B7-B6D5-4218-BD7F-8AD1D54AA7F1}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/56
- Runtime Process
- msiexec.exe (PID: 4044)
- MD5
- 9ab9991f87e4bb8c652da7539aa87a2d
- SHA1
- 9ee3473f6c3d1c735ec9f5c030bd58ae3b988cba
- SHA256
- 0026705c7e9bdeef67338d8ad473560b3b8e618f3dccd43f13633d93b5f3cb8c
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- 33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3.exe (PID: 3076)
- MD5
- 6f5257c0b8c0ef4d440f4f4fce85fb1b
- SHA1
- b6ac111dfb0d1fc75ad09c56bde7830232395785
- SHA256
- b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/84
- Runtime Process
- 33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3.exe (PID: 3076)
- MD5
- d9256d9acaecabb20b7e9a1595abfa36
- SHA1
- ece1cab181dac7729246da1d4494b8daa10c3b70
- SHA256
- d7b2c55977a541f8d075e48d4e0a82eec79ad247b0ed168c19a8518131acd19c
-
-
Informative 2
-
-
modern-header.bmp
- Size
- 25KiB (25818 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 150 x 57 x 24
- Runtime Process
- 33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3.exe (PID: 3076)
- MD5
- de0eb8fdb697b74c34f0f65792e052d2
- SHA1
- ed5e01a983695960f4cabc0ff483fa273813a1d1
- SHA256
- 7409ece79097c530c741d96d0f256913badda4daed1b7345ffeaaefcea83d21e
-
modern-wizard.bmp
- Size
- 26KiB (26494 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 164 x 314 x 4
- Runtime Process
- 33e0c87f234d7c17caf540082648c9b9265583b311cfbe2c93b2eabdbbb217c3.exe (PID: 3076)
- MD5
- cbe40fd2b1ec96daedc65da172d90022
- SHA1
- 366c216220aa4329dff6c485fd0e9b0f4f0a7944
- SHA256
- 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)