| File name: | fb2d938889d3ddfbce9703ef3663046e30a6dbdc885160443293be1c1be10adc.zip |
| Full analysis: | https://app.any.run/tasks/13ba49ec-7bf5-4938-823b-b610d9868a7f |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 28, 2026, 09:18:06 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 358E41F099FE95605404095054892CD4 |
| SHA1: | F5151CAFFFAE719E816779C03616D3B35014E76B |
| SHA256: | FB2D938889D3DDFBCE9703EF3663046E30A6DBDC885160443293BE1C1BE10ADC |
| SSDEEP: | 98304:geJDxOwPhL4e6ett97zzp8/T0z6nQMdHB4kHeKQhTvCvkWwY3NSI2HxjxIvgSgaL:NuPoHd8 |
MALICIOUS
Steals credentials from Web Browsers
- 46473a9b.exe (PID: 7764)
Actions looks like stealing of personal data
- 46473a9b.exe (PID: 7764)
Run PowerShell with an invisible window
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Starts POWERSHELL.EXE for commands execution
- firefox.exe (PID: 7776)
- msedge.exe (PID: 8708)
Changes powershell execution policy (Bypass)
- firefox.exe (PID: 7776)
- msedge.exe (PID: 8708)
SANTASTEALER has been detected
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Uses Task Scheduler to autorun other applications
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Starts CMD.EXE for self-deleting
- MSI4AFF.tmp (PID: 2328)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 4284)
The process checks if it is being run in the virtual environment
- MSI4AFF.tmp (PID: 2328)
Executable content was dropped or overwritten
- MSI4AFF.tmp (PID: 2328)
- powershell.exe (PID: 8892)
The process drops C-runtime libraries
- MSI4AFF.tmp (PID: 2328)
Creates file in the systems drive root
- 46473a9b.exe (PID: 7764)
Possible stealing from password managers
- 46473a9b.exe (PID: 7764)
Possible stealing from notes
- 46473a9b.exe (PID: 7764)
Bypass execution policy to execute commands
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Browser headless start
- firefox.exe (PID: 7776)
- chrome.exe (PID: 3352)
- msedge.exe (PID: 7452)
- chrome.exe (PID: 8732)
- msedge.exe (PID: 8708)
- firefox.exe (PID: 8720)
Base64-obfuscated command line is found
- firefox.exe (PID: 7776)
- msedge.exe (PID: 8708)
BASE64 encoded PowerShell command has been detected
- firefox.exe (PID: 7776)
- msedge.exe (PID: 8708)
Possible stealing of VPN data
- 46473a9b.exe (PID: 7764)
Uses ATTRIB.EXE to modify file attributes
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Possible stealing of messenger data
- 46473a9b.exe (PID: 7764)
Possible stealing from crypto wallets
- 46473a9b.exe (PID: 7764)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Creates scheduled task with highest privileges
- schtasks.exe (PID: 8524)
- schtasks.exe (PID: 8552)
- schtasks.exe (PID: 8012)
- schtasks.exe (PID: 6924)
Possible stealing of FTP data
- 46473a9b.exe (PID: 7764)
Creates scheduled task with ONLOGON parameter
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Self-deletion pattern has been detected
- MSI4AFF.tmp (PID: 2328)
Hides command output
- cmd.exe (PID: 6028)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 6028)
File deletion via cmd.exe
- cmd.exe (PID: 6028)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 6028)
The process creates files with name similar to system file names
- powershell.exe (PID: 8892)
The process executes files with name similar to system file names
- powershell.exe (PID: 8892)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 8892)
INFO
Reads the computer name
- msiexec.exe (PID: 2164)
- 46473a9b.exe (PID: 7764)
Manual execution by a user
- msiexec.exe (PID: 2452)
Manages system restore points
- SrTasks.exe (PID: 4704)
Generic archive extractor
- WinRAR.exe (PID: 1684)
Starts application with an unusual extension
- msiexec.exe (PID: 2164)
Checks supported languages
- msiexec.exe (PID: 2164)
- MSI4AFF.tmp (PID: 2328)
- 46473a9b.exe (PID: 7764)
- svchost.exe (PID: 6952)
Executable content was dropped or overwritten
- msiexec.exe (PID: 2164)
Create files in a temporary directory
- MSI4AFF.tmp (PID: 2328)
The sample compiled with english language support
- MSI4AFF.tmp (PID: 2328)
Reads the machine GUID from the registry
- 46473a9b.exe (PID: 7764)
Reads Environment values
- 46473a9b.exe (PID: 7764)
Reads CPU info
- 46473a9b.exe (PID: 7764)
Reads product name
- 46473a9b.exe (PID: 7764)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Forces immediate Group Policy refresh
- gpupdate.exe (PID: 5716)
- gpupdate.exe (PID: 7896)
There is functionality for taking screenshot (YARA)
- MSI4AFF.tmp (PID: 2328)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Disables trace logs
- powershell.exe (PID: 6404)
- powershell.exe (PID: 8892)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 6404)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6404)
The executable file from the user directory is run by the Powershell process
- svchost.exe (PID: 6952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2026:03:28 10:28:12 |
| ZipCRC: | 0x5bf99cba |
| ZipCompressedSize: | 3429889 |
| ZipUncompressedSize: | 7278592 |
| ZipFileName: | CrimsonSaveEditor.msi |
Total processes
200
Monitored processes
43
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 488 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | gpupdate.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1108 | "C:\WINDOWS\system32\attrib.exe" +h +s C:\Users\admin\AppData\Local\Microsoft\OfficeBroker | C:\Windows\System32\attrib.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1684 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\fb2d938889d3ddfbce9703ef3663046e30a6dbdc885160443293be1c1be10adc.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2164 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2316 | "C:\WINDOWS\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\Users\admin\AppData\Local\Microsoft\OfficeBroker /t REG_DWORD /d 0 /f /reg:64 | C:\Windows\System32\reg.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2328 | "C:\WINDOWS\Installer\MSI4AFF.tmp" | C:\Windows\Installer\MSI4AFF.tmp | msiexec.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2340 | C:\WINDOWS\system32\WerFault.exe -u -p 2328 -s 412 | C:\Windows\System32\WerFault.exe | — | MSI4AFF.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2452 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\CrimsonSaveEditor.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3352 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-gpu | C:\Program Files\Google\Chrome\Application\chrome.exe | 46473a9b.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 3552 | ping -n 3 127.0.0.1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
26 784
Read events
26 611
Write events
164
Delete events
9
Modification events
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Downloads\chromium_build 1.zip | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\fb2d938889d3ddfbce9703ef3663046e30a6dbdc885160443293be1c1be10adc.zip | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1684) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
Executable files
5
Suspicious files
10
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2164 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2164 | msiexec.exe | C:\Windows\Installer\e484f.msi | — | |
MD5:— | SHA256:— | |||
| 2164 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{704b5dd0-d570-4d29-aca7-d06daa45e4ca}_OnDiskSnapshotProp | binary | |
MD5:0A2C35966DAE4124BF320F705AEDE3AF | SHA256:CF0AE5A367AD4D038AF1929E697A50F7DC7613EBEA34DBCEEF434E5C37438DB4 | |||
| 2328 | MSI4AFF.tmp | C:\Users\admin\AppData\Local\Temp\71352976\aa2e\46473a9b.exe | executable | |
MD5:2CA8AA64F8AAA0EB63209F1190038A2C | SHA256:9A48FA483F0350A39FA7D98C00C603F1E1A1A9F27F0D694BF40FA4B40F1A5F16 | |||
| 2164 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:0A2C35966DAE4124BF320F705AEDE3AF | SHA256:CF0AE5A367AD4D038AF1929E697A50F7DC7613EBEA34DBCEEF434E5C37438DB4 | |||
| 2164 | msiexec.exe | C:\Windows\Installer\MSI4AFF.tmp | executable | |
MD5:C5E2C30F071971D8D088790EA334D2AE | SHA256:CF9FF738B92521D09A673F0974FA4810008164EA24B5F1316902D3388173F9EF | |||
| 6404 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ujl5gw41.aja.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6404 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9RLM5Q20LRCARKJZT60.temp | binary | |
MD5:7C9FCCBEF8150FCA5F90FE9F414D51C7 | SHA256:97A2323DE1884C25CF6345F1D9DAB00BF32B5007C81CBDC944CCC62FB70D1487 | |||
| 6404 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe57e0.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 6404 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ebe2nhfu.1iq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
141
TCP/UDP connections
79
DNS requests
32
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5276 | MoUsoCoreWorker.exe | GET | 304 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | unknown | — | — | whitelisted |
7424 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7424 | svchost.exe | GET | 200 | 23.216.77.22:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5276 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 400 | 40.126.31.69:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 200 | 40.126.31.69:443 | https://login.live.com/RST2.srf | unknown | text | 1.24 Kb | whitelisted |
5316 | svchost.exe | POST | 200 | 20.190.160.2:443 | https://login.live.com/RST2.srf | unknown | text | 1.24 Kb | whitelisted |
— | — | POST | 400 | 40.126.31.69:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
7424 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
5276 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7380 | slui.exe | 48.192.1.64:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
7424 | svchost.exe | 23.216.77.22:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
7424 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
5276 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
3428 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5276 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
t.me |
| whitelisted |
bill-proof.cc |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5276 | MoUsoCoreWorker.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
7776 | firefox.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
7764 | 46473a9b.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
7452 | msedge.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
3352 | chrome.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
2232 | svchost.exe | Misc activity | INFO [ANY.RUN] .cc TLD domain request |
8720 | firefox.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
8732 | chrome.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
8708 | msedge.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |