MAR-10375867-1.v1 – HermeticWiper

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received seven files for analysis. Five of these files were identified as the HermeticWiper, all digitally signed by Hermetica Digital Ltd. The other two files are 32-bit and 64-bit copies of the EaseUS Partition Master NT Driver (EPMNTDrv), all digitally signed by Chengdu Yiwo Technology Development Co., Ltd with an expired certificate issued in 2012. The wiper contains four copies of compressed EPMNTDrv in its resource section. Each EPMNTDrv targets different versions and architectures of the Windows operating system (OS). Upon execution of the wiper, it extracts, expands, registers the driver with a service key and starts the service immediately. After the driver service is started and the driver process lives in memory, the service key and associated driver files are deleted. The driver process enables the wiper to conduct read and write directly on the disk.

The wiper overwrites the Master boot record (MBR), New Technologies File System (NTFS) boot sector and data and attributes the system relies on for a system restoration. The wiper sets a sleep timer, which can be its first numeric input. If the wiper runs with the administrative privilege or if the wiper's name begins with the 'c' character, the expiration of the timer will trigger a forced system shutdown followed by an immediate reboot, rendering the system useless at that point. Before the timer expires, the wiper continues the fragmentation process on the disk and overwrites the File Allocation Table (FAT) file system Boot Sector or the NTFS Master File Table (MFT) and its backup in $MFTMirr, user's files from user's directories and the attributes and data contents of the Windows Event Logs with random bytes. The wiper will stop the fragmentation, locate the allocated clusters and overwrite them with random bytes. Finally, the wiper overwrites itself with random bytes and the wiping process is terminated.

Two of the 'newer' HermeticWiper compiled in 2022 will detect the role of the infected system. If the system is a Domain Controller, the wiper will wait for three minutes to complete the overwriting of the MBR, boot sector and system restore directory attributes and data with random bytes before it exits. The domain controller continues to function until the next reboot.

For a downloadable copy of IOCs, see: MAR-10375867-1.v1.stix

Submitted Files (7)

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da (0385eeab00e946a302b24a91dea418...)

06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 (06086c1da4590dcc7f1e10a6be3431...)

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (1bc44eef75779e3ca1eefb8ff5a648...)

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf (2c10b2ec0b995b88c27d141d6f7b14...)

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 (3c557727953a8f6b4788984464fb77...)

8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b (<two-random-characters>dr.sys)

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 (epmntdrv.sys)

Additional Files (6)

23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4 (<two-random-characters>dr.sys)

2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d (<two-random-characters>dr.sys)

b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 (drv_x86)

b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd (drv_xp_x64)

e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 (drv_x64)

fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d (drv_xp_x86)

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Tags

droppertrojanviruswiper

Details

Antivirus

YARA Rules

• rule CISA_10375867_01 : wiper HERMETICWIPER
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10375867"
         Date = "2022-04-05"
         Last_Modified = "20220406_1500"
         Actor = "n/a"
         Category = "Wiper"
         Family = "n/a"
         Description = "Detects Hermetic Wiper samples"
         MD5_1 = "382fc1a3c5225fceb672eea13f572a38"
         SHA256_1 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
         MD5_2 = "decc2726599edcae8d1d1d0ca99d83a6"
         SHA256_2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
         MD5_3 = "84ba0197920fd3e2b7dfa719fee09d2f"
         SHA256_3 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
         MD5_4 = "3f4a16b29f2f0532b7ce3e7656799125"
         SHA256_4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
         MD5_5 = "f1a33b2be4c6215a1c39b45e391a3e85"
         SHA256_5 = "06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397"
     strings:
         $rsrc1 = { 53 5A 44 44 }
         $rsrc2 = { 52 00 43 00 44 00 41 00 54 00 41 00 }
         $rsrc3 = { 44 00 52 00 56 00 5F 00 58 00 36 00 34 }
         $rsrc4 = { 44 00 52 00 56 00 5F 00 58 00 38 00 36 }
         $rsrc5 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 36 00 34 }
         $rsrc6 = { 44 00 52 00 56 00 5F 00 58 00 50 00 5F 00 58 00 38 00 36 00 }
         $s1 = { 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56 00 5C 00 25 00 75 }
         $s2 = { 50 00 68 00 79 00 73 00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76 00 65 00 25 00 75 }
         $s3 = { 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 5C 00 43 00 72 00 61 00 73 00 68 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C }
         $s4 = { 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00 70 00 45 00 6E 00 61 00 62 00 6C 00 65 00 64 }
         $s5 = { 24 00 49 00 4E 00 44 00 45 00 58 00 5F 00 41 00 4C 00 4C 00 4F 00 43 00 41 00 54 00 49 00 4F 00 4E }
         $s6 = { 53 00 65 00 4C 00 6F 00 61 00 64 00 44 00 72 00 69 00 76 00 65 00 72 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
         $s7 = { 53 00 65 00 42 00 61 00 63 00 6B 00 75 00 70 00 50 00 72 00 69 00 76 00 69 00 6C 00 65 00 67 00 65 }
         $s8 = { 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 59 00 53 00 56 00 4F 00 4C }
     condition:
         uint16(0) == 0x5A4D and ((3 of ($rsrc*)) and (7 of ($s*)))
  }

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This file is identified as a 32-bit HermeticWiper. The resource section of the HermeticWiper is embedded with four SZDD compressed driver files as displayed in Figure 1. Depending on the OS major version and system architecture type (32-bit/64-bit), the corresponding SZDD compressed file will be extracted into the System32 directory and expanded to a driver file <random-2-characters>dr.sys (Figures 2-4). The expanded file is a copy of the EaseUs Partition Manager (epmntdrv.sys). The wiper enables SeLoadDriverPrivilege and registers the driver as a system service. The new system service starts immediately and the driver process runs in memory. Then the wiper immediately removes the following registry key and deletes the SZDD file and the expanded driver file from System32 in order to remove its tracks on the victim's system.

--Begin sample device service installed--
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lxdr, Data: "C:\Windows\system32\Drivers\lxdr.sys"
--End sample device service installed--

In preparation, the wiper disables the crash dump service by disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled key. In addition, the wiper disables the Volume Snapshot Service (VSS).

In order to run on user mode, the wiper enables SeBackupPrivilege. If the wiper's name begins with a 'c', it will reconstruct the "SeShutDownPrivilege" string and enable it (Figure 5). The SeShutDownPrivilege is necessary for the wiper when it runs in user mode, to be able to execute InitiateSystemShutdownExW, which is configured to force applications to close, shutdown the system without warning and immediately force a reboot (Figure 13, line 199). The SeShutDownPrivilege is not needed if the wiper runs on administrative privilege; the system will shutdown and reboot regardless of the wiper's name.

The wiper uses the same method to locate and wipe files. First, it locates target files and stores their disk locations into a customized structure type. Meanwhile, a random buffer is generated using CryptGenRandom (Figure 7) for each group of targeted files and stored into the same structure. The stuffed structure is passed to a wipe function, which runs as a separated process thread later in the program (Figure 6).

The wiper coordinates the destruction process into groups, each handled by its own process thread. First, the wiper creates a thread to overwrite itself (Figure 13, lines 173, 209). This thread is passed to WaitForMultipleObjects which waits till the very end when the overwrite occurs.

Next, the wiper makes the system unusable and cannot be revived. First, the wiper locates the MBR and the boot sector of all available physical drives from 0 to 100 (Figure 13, lines 178-179). Then it generates a 4096 byte buffer filled with random bytes. 4096 is the Windows default allocation size (Figure 8). The destruction of MBR and boot sector render the OS unable to reboot (Figure 13, line 213).

Then, the wiper makes it impossible to restore the system by overwriting the $I30 and the $DATA attributes of the C:\System Volume Information directory (Figure 13, lines 183 and 213). The C:\System Volume Information directory contains system restore points and information used by VSS.

--Begin target attributes--
The $I30 attribute covers both of the following attributes:
    1. $INDEX_ROOT - contains information about the files and sub-directories .
    2. $INDEX_ALLOCATION - contains spilled over information from $INDEX_ROOT.
The $DATA attribute contains user or system stored content.
--End target attributes--

Then the wiper starts a low priority process thread for fragmentation, skipping the following Windows system directories when enumerating files (Figure 13, line 203 and Figure 9). User files that are not in the following directories will be fragmented using FSCTL_GET_RETRIEVAL_POINTERS to obtain the file's allocation and location on disk. The output is randomized and passed to FSCTL_MOVE_FILE to relocate the file's virtual clusters (Figure 10).

--Begin skipped directories--
Windows
Program Files
Program Files(x86)
PerfLogs
Boot
System Volume Information
AppData
--End skipped directories--

In this newer version of HermeticWiper that was compiled in 2022 ensures the wiper will bring down a Domain Controller in the shortest possible time. First, the wiper checks for the presence of C:\Windows\SYSVOL using GetFileAttributesW (Figure 13, line 220). The SYSVOL directory indicates the victim's system is a Domain Controller Server, which is responsible for security authentication requests within a domain. In this case, the wiper waits for three minutes to ensure the destruction of the MBR, boot sector and data requires for a system restore (that already happened in the thread created in Figure 13, line 211). The wiper process and all its process threads exit (Figure 13, lines 220-224). The domain controller continues to function until the next reboot.

The second stage of data wipe continues on systems that are not identified as a Domain Controller server (Figure 14) .

The wiper will locate the MFT and its backup in the $MFTMirr file in NTFS, or the Boot Sector in a FAT file system (Figure 11) of all available physical drives from 0 to 100 and store them in a customized structure to be wiped later (Figure 14, lines 228-229, 266). A buffer with random bytes is also generated and passed to the structure.

Then it locates $Bitmap (contains clusters allocation statuses) and $LogFile (contains journals of metadata transactions) from all available logical drives, such as "C:\" and "D:\" (Figure 14, line 232) and stores them in the same customized structure for these data to be wiped later (Figure 14, line 266).

Next, it recursively locates users files from the user's directory, avoiding the AppData directory and user filename that contains the "ntuser" string. It also recursively locates files under the user's Desktop and My Document directory (Figure 14, lines 236, 239). These locations are also stored into the same customized structure to be wiped later (Figure 14, line 266).

The C:\Windows\System32\winevt\Logs directory contains all Windows events logs. The locations of $I30 (includes $INDEX_ROOT and $INDEX_ALLOCATION) as well as locations of $DATA attributes are collected into the same customized structure for these data to be wiped later (Figure 14, lines 242, 266).

The wiper terminates the data fragmentation in 30 seconds, then calls the same function utilizing FSCTL_GET_VOLUME_BITMAP to obtain occupied clusters in a volume. This information is passed to a separated write structure to be wiped by random buffer later (Figure 14, line 267).

The HermeticWiper accepts up to two optional numeric inputs (Figure 15). The first numeric input is used to set the first sleep timer that triggers InitiateSystemShutdownExW in a process thread (Figure 13, line 197). If no input is provided, the resulting 34 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 13, lines 187-192) before passing to the sleep timer. That randomization in sleep time is negligible when measuring in minutes. The second numeric input, if provided, will be compared with the first input and the smaller value will be used. If no input is provided, the resulting 19 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 14, lines 244-253). This second sleep time keeps the main wiper thread alive.

This HermeticWiper variant is signed with the following digital certificate issued by Hermetica Digital Ltd as displayed below:

--Begin Digital Certificate--
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
       Validity
           Not Before: Apr 13 00:00:00 2021 GMT
           Not After : Apr 14 23:59:59 2022 GMT
       Subject: businessCategory=Private Organization/jurisdictionCountryName=CY/serialNumber=HE 419469, C=CY, L=Nicosia, O=Hermetica Digital Ltd, CN=Hermetica Digital Ltd
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:92:62:5f:e5:0c:1e:d0:de:a6:75:e5:50:58:1a:
                   02:87:e4:4f:3c:b4:f1:d9:6d:e7:b6:4c:94:c6:78:
                   59:31:39:58:a3:18:d4:d2:56:44:d6:09:1f:ab:8b:
                   fc:3f:72:bf:15:fa:56:ae:64:16:21:13:5b:44:e3:
                   29:68:27:4d:30:eb:2e:b1:05:5c:e2:2d:48:d7:62:
                   ba:b7:1e:f8:de:74:28:e8:90:50:6f:1c:82:5f:7a:
                   e0:d8:60:5f:5c:62:7c:a3:25:bf:f1:99:ab:60:a6:
                   3d:e8:a9:0e:92:3f:4b:18:d7:fb:03:9e:1d:ec:89:
                   d5:73:aa:b0:a1:4c:1d:4b:a7:0e:b4:44:75:3a:41:
                   c0:30:82:a6:0c:b4:db:55:13:93:f2:c5:09:88:a3:
                   18:1e:7f:31:d0:1b:5a:ad:94:07:04:32:d9:8f:18:
                   65:5a:b8:a5:55:91:9f:ef:ea:9d:e1:ed:f1:bd:ff:
                   c6:3e:ff:83:28:87:2e:be:38:ad:21:96:2f:5c:40:
                   0f:6c:35:a8:48:2f:a7:a9:cd:bc:19:56:37:25:ec:
                   83:12:f5:90:e5:88:a0:bb:ef:4b:0b:11:85:2e:38:
                   c7:e3:9e:41:53:9f:9f:52:97:fe:b2:d2:0b:ff:74:
                   c9:5b:f0:e5:ad:ad:c2:40:e6:7a:5c:2f:3e:76:f6:
                   09:93
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Authority Key Identifier:
               keyid:8F:E8:7E:F0:6D:32:6A:00:05:23:C7:70:97:6A:3A:90:FF:6B:EA:D4

           X509v3 Subject Key Identifier:
               C4:9F:18:1C:59:D2:5B:25:71:9E:F1:37:B7:60:59:D6:2A:07:99:E1
           X509v3 Subject Alternative Name:
               othername:<unsupported>
           X509v3 Key Usage: critical
               Digital Signature
           X509v3 Extended Key Usage:
               Code Signing
           X509v3 CRL Distribution Points:

               Full Name:
                URI:http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl

               Full Name:
                URI:http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl

           X509v3 Certificate Policies:
               Policy: 2.16.840.1.114412.3.2
                CPS: http://www.digicert.com/CPS
               Policy: 2.23.140.1.3

           Authority Information Access:
               OCSP - URI:http://ocsp.digicert.com
               CA Issuers - URI:http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt

           X509v3 Basic Constraints: critical
               CA:FALSE
   Signature Algorithm: sha256WithRSAEncryption
        44:da:48:c6:eb:9c:2f:04:bf:3d:64:18:61:13:e0:ad:ec:ec:
        51:93:df:7b:59:6a:95:c1:73:2c:c9:46:19:b1:c2:77:72:85:
        b0:40:c6:52:db:bc:d2:b2:07:19:0f:48:0a:26:c7:05:a3:f5:
        c6:10:f7:55:b2:f1:f3:a6:6f:75:24:04:e4:b5:51:8c:d9:41:
        31:0a:01:5e:4a:f8:e5:96:8c:82:31:49:2f:e1:92:46:a2:93:
        a5:69:d5:d7:a3:6f:56:eb:2f:c5:b6:8f:ff:6f:33:59:c1:9a:
        f6:80:69:20:c3:fe:66:28:f9:0a:75:44:0e:66:16:29:7a:03:
        1b:a6:07:51:00:d7:2d:fa:a9:82:9e:77:2e:45:d7:7b:89:f8:
        62:08:1e:af:db:19:b4:b2:dc:ef:3f:27:3f:f6:45:ac:ce:aa:
        4b:99:1f:98:37:39:73:c0:fb:25:82:9e:86:0d:9b:c1:95:ef:
        1a:0a:d9:21:94:56:ad:07:7d:42:86:8e:e0:3e:e0:0e:88:d0:
        4c:43:4b:a9:7e:88:df:99:27:3a:35:e2:c6:68:a1:c6:99:54:
        b4:76:23:90:ab:df:be:4c:d4:af:c8:65:e4:34:18:a5:6c:89:
        dc:37:25:34:28:03:b4:d4:6a:35:69:82:35:0a:e0:7f:01:c1:
        95:cb:26:e2
-----BEGIN CERTIFICATE-----
MIIFiTCCBHGgAwIBAgIQDEhzKHOsjM66+PDh6DKc7DANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTIxMDQxMzAwMDAwMFoXDTIyMDQxNDIzNTk1OVowgacx
HTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMT
AkNZMRIwEAYDVQQFEwlIRSA0MTk0NjkxCzAJBgNVBAYTAkNZMRAwDgYDVQQHEwdO
aWNvc2lhMR4wHAYDVQQKExVIZXJtZXRpY2EgRGlnaXRhbCBMdGQxHjAcBgNVBAMT
FUhlcm1ldGljYSBEaWdpdGFsIEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJJiX+UMHtDepnXlUFgaAofkTzy08dlt57ZMlMZ4WTE5WKMY1NJWRNYJ
H6uL/D9yvxX6Vq5kFiETW0TjKWgnTTDrLrEFXOItSNdiurce+N50KOiQUG8cgl96
4NhgX1xifKMlv/GZq2CmPeipDpI/SxjX+wOeHeyJ1XOqsKFMHUunDrREdTpBwDCC
pgy021UTk/LFCYijGB5/MdAbWq2UBwQy2Y8YZVq4pVWRn+/qneHt8b3/xj7/gyiH
Lr44rSGWL1xAD2w1qEgvp6nNvBlWNyXsgxL1kOWIoLvvSwsRhS44x+OeQVOfn1KX
/rLSC/90yVvw5a2twkDmelwvPnb2CZMCAwEAAaOCAekwggHlMB8GA1UdIwQYMBaA
FI/ofvBtMmoABSPHcJdqOpD/a+rUMB0GA1UdDgQWBBTEnxgcWdJbJXGe8Te3YFnW
KgeZ4TAnBgNVHREEIDAeoBwGCCsGAQUFBwgDoBAwDgwMQ1ktSEUgNDE5NDY5MA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDeg
NaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTIt
ZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2ln
bmluZ1NIQTItZzEuY3JsMEoGA1UdIARDMEEwNgYJYIZIAYb9bAMCMCkwJwYIKwYB
BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBAzB+Bggr
BgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv
bTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD
ZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZI
hvcNAQELBQADggEBAETaSMbrnC8Evz1kGGET4K3s7FGT33tZapXBcyzJRhmxwndy
hbBAxlLbvNKyBxkPSAomxwWj9cYQ91Wy8fOmb3UkBOS1UYzZQTEKAV5K+OWWjIIx
SS/hkkaik6Vp1dejb1brL8W2j/9vM1nBmvaAaSDD/mYo+Qp1RA5mFil6AxumB1EA
1y36qYKedy5F13uJ+GIIHq/bGbSy3O8/Jz/2RazOqkuZH5g3OXPA+yWCnoYNm8GV
7xoK2SGUVq0HfUKGjuA+4A6I0ExDS6l+iN+ZJzo14sZoocaZVLR2I5Cr375M1K/I
ZeQ0GKVsidw3JTQoA7TUajVpgjUK4H8BwZXLJuI=
-----END CERTIFICATE-----
--End Digital Certificate--

Screenshots