{
	"id": "4e24c265-44e3-4d3f-b310-5409ff7955b0",
	"created_at": "2026-04-06T00:14:25.544572Z",
	"updated_at": "2026-04-10T03:23:52.345525Z",
	"deleted_at": null,
	"sha1_hash": "7bc28712394f1ed327b97326f17a0727fe150ae1",
	"title": "HZ RAT goes China",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2965361,
	"plain_text": "HZ RAT goes China\r\nBy DCSO CyTec Blog\r\nPublished: 2022-11-16 · Archived: 2026-04-05 20:14:08 UTC\r\nWalking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught\r\nour attention. Turns out we found HZ Rat — a lesser known Trojan.\r\nPress enter or click to view image in full size\r\nSource: https://www.craiyon.com ❤\r\nThe malware we analyse in this article initially aroused curiosity because the payload of the RTF document did\r\nnot match the pattern we had previously observed in relation to the deployed Yara hunt. Furthermore, the dropped\r\nbinary shows interesting behaviour as it does not contact the C2 server via domain requests and instead\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 1 of 24\n\nexclusively uses a mix of public and private IP addresses. Especially the use of private IP addresses to contact the\r\nC2 server seems uncommon.\r\nFirst OSINT research of the malware lead to no results regarding public reports or analysis reports. Only Rising, a\r\nChinese security company, seems to know more, given that they published an AV signature for it. Therefore, the\r\nmalware we analyse in the this article can be identified as “Backdoor.HZRat!1.DB91 (CLASSIC)”, defining the\r\nname of the malware as “HZ Rat”.\r\nIn this article we analyse HZ Rat and try to connect the breadcrumbs we found along this way. We discuss the\r\ndistribution methods, visualise the timeline of the campaign and communicate with C2 servers.\r\nBlog authored by Axel Wauer and Johann Aydinbas\r\nDistribution\r\nThe threat actor utilises two different attack chains to deliver the backdoor to its victims. Either embedded as self-extracting zip archive or as malicious RTF document build presumably with the Royal Road framework.\r\nPress enter or click to view image in full size\r\nTwo ways to deliver HZ Rat.\r\nRTF documents\r\nThe first distribution method used is an RTF document. The document itself contains no content, images or text\r\nand only the lure filename is used to social engineer the victims into opening the document. Once opened, the\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 2 of 24\n\ndocument writes HZ Rat to disk as default.exe and executes it with an Equation Editor exploit (CVE-2017–11882)\r\nhidden in the document and triggered after opening the document.\r\nThe process tree below illustrates how the document executes the payload. A more in-depth explanation of the\r\nEquation Editor exploit (CVE-2017–11882) and how it works can be found in one of our previous posts here.\r\nProcess tree for 7b3c52a8422ad139627ac1bd2402d259f256863e253f1ee177579148a0820e53\r\nBased on the Equation Editor exploit-object we identified a long list of documents on VirusTotal which are all\r\nlinked to HZ Rat samples indicating a regular use as shown below:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 3 of 24\n\nThis version of the EquationEditor exploit reveals other malicious documents delivering HZ Rat.s\r\n7zS.sfx — Self Extracting Zip Archive\r\nThe second distribution method simply piggybacks on the archive extraction process after tricking a user into\r\nexecuting a malicious self extracting archive. Pretending that the archive installs OpenVPN, puTTYgen or\r\nEasyConnect, the archive actually executes install.vbs which first runs the contained default.exe (HZ Rat) and\r\nafterwards the actual lure program. The content of install.vbs is kept simple as shown below:\r\n# install.vbs\r\n# https://www.virustotal.com/gui/file /f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc\r\nSet shl = CreateObject(\"Wscript.Shell\")\r\nCall shl.Run(\"cmd /K \" \u0026 objArgs(0) \u0026 \" \u0026 exit\", 0, false)\r\nCall shl.Run(objArgs(1))\r\nSet shl = Nothing\r\nWscript.Quit\r\nThe process tree below illustrates this behaviour as well. The initial filename “VPN登录控件.exe” roughly\r\ntranslates to “VPN Login Control.exe”.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 4 of 24\n\nPress enter or click to view image in full size\r\nProcess tree for bfae9c954fe53a2841a6ee5d1bae41ac746cb40ac3863afaa18446c2eca25bfc\r\nSame Sample In Both Attack Chains\r\nDuring our analysis, we noticed that some samples are used in both attack chains which allowed us to connect\r\nboth attacks to one campaign.\r\nPress enter or click to view image in full size\r\nSame sample deployed in both attack chains\r\nHZ Rat Analysis\r\nGiven that we couldn’t find any research on HZ Rat online, the following section briefly analyses the malware and\r\nlists its capabilities.\r\nThe PDB Path\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 5 of 24\n\nOur list of collected samples can be divided into plain and packed samples of which at the time of writing the\r\ngroup of plain samples is slightly larger but a trend towards packed samples is clearly identifiable. The plain\r\nsamples come in handy with the PDB path included and, what we believe, the version number. In some instances,\r\nthe PDB path also contains presumably the project name “hp_client_win” as shown in the block below:\r\nD:\\WORKSPACE\\HZ_2.8.2\\hp_client_win\\Trojan\\x64\\Release\\Trojan.pdb\r\nD:\\WORKSPACE\\HZ_2.9.0\\Trojan\\x64\\Release\\Trojan.pdb\r\nD:\\WORKSPACE\\HP\\HZ_2.9.1\\Trojan\\Default\\Release\\Default.pdb\r\nThe PDB path appears to be the reason why Rising named their AV signatures HZ Rat. For most of the samples\r\nwe identified, the following Rising AV signatures triggered as well:\r\n“Backdoor.HZRat!1.DB91 (C64:YzY0OiTdg76jwZSL)”,\r\n“Backdoor.HZRat!1.DB91 (C64:YzY0Ol8Gio2fTy+DE6K09G2bPqs)”,\r\n“Backdoor.HZRat!1.DB91 (CLASSIC)”,\r\n“Backdoor.HZRat!1.DB91 (CLOUD)”,\r\nBased on the collected samples, there are at least three versions of HZ Rat available, which are HZ_2.8.2 ,\r\nHZ_2.9.0 , HZ_2.9.1 as well as the packed HZ Rat versions which don’t contain the PDB path anymore.\r\nCapabilities and Protocol\r\nThe malware itself is kept very simple. Once started, it iterates through a list of C2 servers in order to connect and\r\nreceive commands. The malware itself behaves like a client and simple executes received commands. Once\r\nconnected, the C2 server sends one of five possible commands listed below:\r\n* execute PowerShell command and send STDOUT to C2\r\n* execute PowerShell script and send content of specified temp file to C2\r\n* write file to disk\r\n* upload fileto C2\r\n* ping (appears to be buggy)\r\nThe communication protocol itself is custom. It requires a specific “handshake” pattern (referred as “Cookie” in\r\nthe malware) in order to initiate the communication with the C2 server. Beside this, the communication itself is\r\nXOR encrypted using the key 0x42.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 6 of 24\n\nCustom communication pattern sent from the client to initiate the C2 server communication\r\nCustom Packers\r\nIn the early days of July 2022, we detected the first versions of packed HZ Rat samples. The packer itself is\r\ncustom and initially only encoded the payload with Base64, which we referenced as packed_base64_v1. The\r\npacker evolved shortly after detection to a slightly more enhanced Base64 packer, which we identify as\r\npacked_base64_v2. The last known version uses AES to encrypt its payload. We reference this packer as\r\npacked_aes_v1.\r\nDuring our analysis, we generally extracted samples packed with the first version (packed_base64_v1) with a\r\nsimple bash script approach as shown in the screenshot below.\r\nPress enter or click to view image in full size\r\nSimple Base64 unpacking command for packed_base64_v1 samples\r\nThe bash script approach did not work for samples packed with packed_base64_v2 and packed_aes_v1 which is\r\nwhy we wrote custom unpacking tools for both packer variants. We share the unpacker here.\r\nThe packer architecture to unpack the AES encrypted data and to execute the payload is quite simple as shown in\r\nthe screenshot below. The library used for AES decryption is WjCryptLib.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 7 of 24\n\nArchitecture of the AES packer executing the payload\r\nBelow we share an example list of samples of the packed HZ Rat variants:\r\n8ba90d91eea87f6f7b9df4010b038dd2692b62777677f421f7d1003f28f29bb4\r\nb4670afde3e88951274780f2128c9584ef80813293ac64c69225fac3926e71ee\r\ne350dc55f61eda0a7372fb5bbf35fac6d8c928912f3bef75efeaca7c1338093f\r\nCampaign\r\nAlongside the malware analysis, we started searching for more HZ Rat samples. For this, we created and deployed\r\nYara rules on VirusTotal which we share here. Based on this rule, we were able to identify more than 120 HZ Rat\r\nsamples spread over the last two years.\r\nIn an attempt to visualise the discovered data set, we created a time graph based on the creation_date timestamp\r\nof each sample and the correlating first_submission_date of the sample to VirusTotal. While the creation_date\r\ntimestamp could be tempered with, it does not appear to be in this case. The resulting graph below provides a\r\nrough view into the operational time of the malware. The graph indicates a constant use and development process\r\nof the malware of time.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 8 of 24\n\nHow to read the graph: Each horizontal line in the graph connects an HZ Rat sample’s creation timestamp (shade\r\nof red/black) to its first submission timestamp (green)\r\nThe diagram above illustrates the HZ Rat versions HZ_2.8.2 , HZ_2.9.0 and HZ_2.9.1 in shades of red/black\r\nover time. The graph indicates that the HZ Rat samples are built on fixed dates. We believe that the malware was\r\ncreated only once in a while or once per version. This “gold sample” then gets copied as needed and only the C2\r\nIP addresses are patched into it afterwards. The second graph below adds the creation timestamp of the\r\ncorresponding distribution method files, which seem to be created earlier but used in the same copy, paste, patch\r\napproach as HZ Rat. The gaps between creation date and first submission date of each sample frames the period of\r\nmalware deployment.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 9 of 24\n\n“Creation times” of the related delivery method added to HZ Rat overview\r\nThe shortest creation date to VirusTotal first submission ratio is listed below:\r\nHZ packed - 0 days 00:16:13\r\nbb540a1e357b50e406e07f35993471dec1b8502961301e7984581134518c40a4HZ packed - 0 days 00:18:35\r\n5b40c2e609ec90fcfd4e0be7b642f8b7bc6bd552801caea2b9d1fdd6992b6982HZ packed - 0 days 00:27:26\r\neac8587a6b5a1ed5b652bf8440afff90da3b846cec63a5d4f755a1a5fa87b375HZ packed - 0 days 02:43:15\r\ndd153c8c59bf3e47b894da9777c25424bb9b7e16686010378098d207646c6a42HZ packed - 0 days 03:03:46\r\n6abe974c807a03f81ad3e7ba7ff7695b30c450733533ff9df733c3050e74a368HZ packed - 0 days 03:12:01\r\na4574b3df09d3c62d780693e71031a8d5d656ed933dbc07be8175249cb7ccacaHZ packed - 0 days 04:48:08\r\n85b6664c386c2c9cd7d0a8a6dc08c281c814669bdb75f02e5b24d1f893eaae69HZ packed - 0 days 22:36:12\r\n431fc223b302150ef2ab549c9ae8f96cb964a73aa1a860279d2b0f9039f09e2eHZ packed - 0 days 22:45:10\r\n05d2668a9b80f58bc5b05f3e705aac60f05268ec8ed68b302104e2b5ee4fdf3fHZ packed - 1 days 00:15:39\r\n5b37a1144e92a20c2d7c44d1ee896be8635d56d7b03a74f0e89e13e69f63e343\r\nCommand and Control Servers\r\nHaving the malware analysed and the campaign visualised, we switched our focus to the C2 servers. For this, we\r\nwrote a C2 server extractor to extract all C2 server addresses from the samples we previously collected and to\r\ncompile a large list of all known C2 servers and related ports. We share the extractor here. Remarkable on this list\r\nis the mix of private and public IP addresses. We also noticed that all possible combinations of private and public\r\nIPs are available in single HZ Rat samples. Listed below are samples with C2 server lists to represent all possible\r\nprivate/public IP combinations:\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 10 of 24\n\nC2 servers - public IPs only:\r\n- Sample:\r\n * 41bf15434e1b417692edfc46395b0ca867b7af0a99f42256760c9de92d1a7d1d\r\n- IP:\r\n * 10.8.8.190:8081\r\nC2 servers - private IPs only:\r\n- Sample:\r\n * 8288d98084d63d1c0955d2393540c8638adadca7befedd5315e0cb3bd92be3fa\r\n- IP:\r\n * 192.168.110.140:8081\r\nC2 servers - private and public IPs:\r\n- Sample:\r\n * f27cd021ba45e3b1070a380fa6be2204cebbdf98ae6d38d90560b1f1bb6c0195\r\n- IP:\r\n * 114.113.238.83:9000\r\n * 221.195.106.200:9090\r\n * 192.168.210.179:8081\r\n * 192.168.211.20:8081\r\n * 192.168.211.10:8081\r\n * 192.168.218.128:8090\r\nServer Availability Check\r\nFor a better understanding we generated a heat map of all known C2 sever locations. The map clearly visualises a\r\nfocus on China. Less than five C2 servers per country where also located in Russia, Australia, United States,\r\nNetherlands and Spain.\r\nPress enter or click to view image in full size\r\nC2 server distribution globally.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 11 of 24\n\nOur next analysis step after compiling the list of IP addresses was to contact all C2 servers and to find out whether\r\nany of them are still online. To do so, we re-implemented parts of the communication protocol and the initial\r\nhandshake required to establish the connection. The scan revealed that more than 10 servers are still online and\r\neven respond. This indicates that the campaign is long running and still active. The screenshot below provides the\r\noutput of our C2 server scan including the start of the server responses.\r\nPress enter or click to view image in full size\r\nScanning for HZ Rat servers and evaluating first response packet— scanned 2022–08–02\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 12 of 24\n\nFor the sake of completeness, the list of responding C2 servers is shown below:\r\nOnline 106[.]120.215.202:8089\r\nOnline 114[.]113.238.83:9000\r\nOnline 114[.]113.238.84:6523\r\nOnline 114[.]251.223.84:8081\r\nOnline 116[.]54.125.202:8081\r\nOnline 116[.]6.102.21:8081\r\nOnline 124[.]250.18.111:8080\r\nOnline 218[.]22.14.11:8081\r\nOnline 220[.]248.250.19:8081\r\nOnline 222[.]85.157.82:8081\r\nOnline 58[.]240.32.125:8081\r\nOnline 61[.]144.203.171:8081\r\nServer Response\r\nShortly after identifying the C2 servers and checking their availability, we noticed that it is possible to extract the\r\nfull command list from the C2 servers by implementing the whole communication protocol in order to keep the\r\ncommunication ongoing. The command list then allows us to learn more about the actual attack. We share our\r\nproof-of-concept C2 scanner here.\r\nThe list below provides a communication stream we received with our protocol re-implementation. We always\r\nresponded with a packet containing “HMRAM5ZSOL”, which is the reason why some paths and requests from\r\nthe server also contain “HMRAM5ZSOL” and appear to be out of context.\r\nReceived and decrypted C2 server communication\r\nReviewing the received commands indicates that, beside system reconnaissance, a strong focus is set on credential\r\ndumping. Noteworthy are the regional target indicators like attempts to copy files from folders such as Tencent\r\nFiles or Wechat Files . In general, the attacker aims to acquire data from various locations and applications.\r\nThis includes credentials for:\r\nPremiumSoft which we assume aims for NaviCat, a database development tool,\r\nfilenames containing wxid which we assume is related to WeChat,\r\n.aggressor.prop which contains Teamserver credentials,\r\n.gitconfig which contains Git credentials,\r\nstored credentials in Google Chrome,\r\nstored credentials in Microsoft Edge,\r\nstored credentials in Mozilla Firefox,\r\nlogins.json and key4.db indicating Thunderbird credentials,\r\nAt an early stage of our analysis we decrypted the full communication flow of an HZ Rat sandbox run which we\r\nfound as PCAP file provided by Zenbox on VirusTotal. We share an example of the decrypted communication here\r\nand our PoC PCAP decryptor here.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 13 of 24\n\nMiscellaneous\r\nAlong our analysis path, we discovered puzzle pieces of HZ Rat we cannot link to the analysis path above. We\r\nstill want to mention them in the following section to keep it documented to help other analysts later.\r\nChina State Construction Engineering Corporation Ltd\r\nOne of the samples we found was hosted on http://oa.cscec[.]com/Customer/posetup.exe as shown on\r\nVirusTotal. CSCEC is known as “China State Construction Engineering Corporation Ltd.”\r\nPress enter or click to view image in full size\r\nHZ Rat sample hosted at CSCEC\r\nBeside this, we were able to identify the following domains resolving to HZ Rat C2 server IPs.\r\n114[.]251.223.84:8081/default.exe\r\n116[.]236.40.57:8081/default.exe\r\n220[.]248.250.19:8081/default.exe\r\n116[.]236.40.57:8081\r\n183[.]196.0.25:8081\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 14 of 24\n\n218[.]76.15.13:8081\r\n220[.]248.250.19:8081\r\nMutex Gives Cobalt Strike Beacon Away\r\nIn addition to the unique PDB path, all versions of HZ Rat use the same mutex {91E99696-92CC-43F4-99B0-\r\n774D80BDAA6B} to prevent multiple executions on the same system. This mutex gives away a huge list of HZ Rat\r\nsamples on VirusTotal and allows us to keep track of the campaign. Besides the HZ Rat samples we were able to\r\nidentify one Cobalt Strike stager with the same mutex and packed with packed_base64_v1.\r\nBase64 packed Cobalt Strike: 15a3175f0097386f617c33fb2552dc8e5972055bb4ff99ef8532763e248543b7Base64 p\r\nC:\\Users\\dell\\source\\repos\\WindowsProject1\\Debug\\WindowsProject1.pdbIncluded Cobalt Strike sample:\r\n40b46a3d38c80a4bb4a2b0a3eeaa6e420ff6d180a51f43121955ca1a05695b05extracted Cobalt Strike sample - C2 s\r\nhxxp://81.68.122[.]239:443/1Pfuextracted Cobalt Strike sample - pdb path:\r\nC:\\Users\\dell\\source\\repos\\WindowsProject2\\Release\\WindowsProject2.pdb\r\nBased on the given PDB path, we noticed another group of Cobalt Strike stagers with similar PDB paths\r\ncontacting the same C2 server as the Cobalt Strike stagers before.\r\n* C:\\Users\\dell\\source\\repos\\WindowsProject2\\Release\\WindowsProject2.pdbHash SHA256:\r\n* 41371f62de279d71243adc0e7dd7576007c2c4facff16def41c82fe638cb6fbe\r\n* c9777c64231161b8e3d941d6ea37d081c12cef830cbdf92fcb245a8f29ccd8e0\r\n* 5801b9c635f36eb82f154e3c349bfc30724c4f3334ef8ea1e5fa20b5d022592b\r\n* d4fa8743874c2c1c3b2b643f54470a5d2f72a7a400a04cd7e36f5ee6ad7a907bCobalt Strike sample - C2 server:\r\nhxxp://81.68.122[.]239:443/1Pfu\r\nAnother Cobalt Strike stager, this time packed with packed_base64_v2.\r\nBase64 packed Cobalt Strike (packed_base64_v2):\r\n94b0bda42e7d1e01bf0b832742526d1975c7f211440c646c54ef58c5d7a8fa06Base64 packed Cobalt Strike pdb path\r\nC:\\Users\\dell\\source\\repos\\WindowsProject1\\Debug\\WindowsProject1.pdbextracted Cobalt Strike sample:\r\ne83be4a374a989296bb511167ec20361454b758f5b001ea4f03393b1b56669d9Cobalt Strike sample - C2 server:\r\nhxxp://81.68.122[.]239/Rbs5Cobalt Strike sample - pdb path:\r\nstripped\r\nConclusion\r\nThis article uncovers a campaign previously unknown and undocumented. We identified HZ Rat as payload of\r\nmalicious RTF documents, found two distribution methods and multiple custom packers. Along our analysis we\r\nwere able to identify over 120 samples and 3 versions of HZ Rat. We believe that the campaign is still ongoing\r\nand active since at least October 2020. HZ Rat itself is used as initial access tool with limited capabilities like\r\ncommand execution and file upload. Our research revealed that this malware was utilised for credential stealing\r\nand system reconnaissance.\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 15 of 24\n\nIoC\r\nBelow we share our IoC list. Our tools, the related MISP event and our Yara rules are available on Github as well.\r\n8ba90d91eea87f6f7b9df4010b038dd2692b62777677f421f7d1003f28f29bb4\r\n15a3175f0097386f617c33fb2552dc8e5972055bb4ff99ef8532763e248543b7\r\nb4670afde3e88951274780f2128c9584ef80813293ac64c69225fac3926e71ee\r\neac8587a6b5a1ed5b652bf8440afff90da3b846cec63a5d4f755a1a5fa87b375\r\n7ba72fa840bcf6de6fb780cfd6593f14507d8e8790eeb8cbac56cafe14a7e5f5\r\ncda5c0fad26119c50ef063dfb3c6bd666877e564d31b64341486298cc9568242\r\neb95965f10efca15fc021f879923679a7acb2302ed1211d4d08529efc10a73a9\r\n2ca22a75575f63575f87f653780367058f90bce24a77876c16d927f747f78afd\r\n5da049fb045f8eb7865db8d51b54769035974444534bbc23c965e55f29f70b58\r\n2cedea36bbdc44d8ec83acf86c18f867547c8c53ebb234a4b2c8eed4e9ecac16\r\n7cbb19d3ea54309167b4d09cfb0562313aa3b0822637b7449e05f8ab603d30e4\r\n94fd1888e349ca100fcc557e446538e1524f3d6e36b234f39d9075414118e95f\r\nd5763310b90a82cf8754892c61442746db57cb169c639dd2bc0ceb989c6222a5\r\na16734ffb1895423dd39ee243dcd7a867936568d4ec006fadc8f55d74aa742cd\r\n74f0271fbfb86fbcb0370b3b9de8845cc8a8f7a1be1536d131da724bc5128db4\r\n7bfe5a1a31db7a1de7f42dc35b02797c4d29ae079c525404470f85b5a4a46283\r\n97114be15a56f10225e1605284e568adeb2c5bef4f6941cb8da3cd20c389305f\r\n195459fdb0ca5b775e864a69f47a0acd5761f56777e29d3e09a84420362248b7\r\n327ffcc9ddb5748cdf3b2c43c7a2fc2778e86ee69649c7c692253699f713ee91\r\nebce7218348ad7292c7c3bbbcf7246ad24827a3c040622895b8ce3880d8e0516\r\n410004b8ef0096e4029def96895ef4cea89e1e41e3113ef995ab9c19de39782b\r\nca0ecb347f6d877e40272f43d203c12603087b8102757686c0162bcc770b4ec9\r\nb75a1ef557e02d243b77dbf5c5361d3a702b6b13108f4df631f565b8191fe652\r\n05d2668a9b80f58bc5b05f3e705aac60f05268ec8ed68b302104e2b5ee4fdf3f\r\ne8ef31de4a5e751ec1c8fc8a41b48030e3f3e9cf466eafd250574127e5b1107c\r\n5f5388bf011eb01702b3ea01a994b1d0a666448d61a4bd70bbc048f2dfb3b386\r\n64f46b97eb19b750b9fbd97a786ef5ea050ffe65ea6b09eef2be23d7b10a6987\r\ncffcae49f944635ab86518e172a516f15c6ad8300b168243371c20893bdf90ba\r\ne81d27b7132a18d58693b41b18f24e70e63c5b8366acde4c05f8a4d7800e0fcc\r\ne36a5ed08916d63efc5bc1d2ccf7e7185fc13b72d744339cc89552d6f8ebc9cd\r\n1d8be308521bda4857742a2fb9ef65020126e5f623ef2540c3a3ab999c4578b6\r\na880a9ebfcdeed5a8180969bc34a2d9861580ecfff6d63f8a4d223541284f17b\r\nd4940f74664a1571964fba1a4e0a7a070f5cbfeb2e1f2823c3e51b8677a002f4\r\n02878538eda1b69cc276332943b580fde422bf413728cbfb872b72fd06170a7b\r\nff4bb86a4d728c1334987084e2aca4e06973da20b5dc4fcba1394376910fb584\r\nbb540a1e357b50e406e07f35993471dec1b8502961301e7984581134518c40a4\r\n43633be77bf48025fa74409e45dc2f9ebacce5d8e915d98b965b919592c4e357\r\nb246c5e739d19041d5643a58f1d421d93578203ace87b24bc92eda8fe7f43a57\r\nc1488c2a93975f89eefe0652e2955d629a20a20d8f24a8f0330d21eaa1122942\r\ndaa9d237c0d35b658fd190b01f04a9fe0e0ff630d53044171b71841da6e73b93\r\nf0e00c806cda1d8fb5618c2bdc5275392f8065cb271fda2cb29bc74fda0f589b\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 16 of 24\n\nce7dbc382bbe039a461cd946ed51ef96940f709faeed2c6b6a270d31e06ca187\r\n8a783d6397a6acff33cbae51cae7b9a1d7dbb1ec4c36fe78f2d6cdc76ece372e\r\ndf6470efe8ef0a75c95a1e46f89149baaf5369676bf05390f5e7bb140f6eaba0\r\n448469af181da35ea187613754fa0ce5f5ba2a3b57062d0ed0d1e2695c46c52d\r\n5b40c2e609ec90fcfd4e0be7b642f8b7bc6bd552801caea2b9d1fdd6992b6982\r\ndd153c8c59bf3e47b894da9777c25424bb9b7e16686010378098d207646c6a42\r\n85b6664c386c2c9cd7d0a8a6dc08c281c814669bdb75f02e5b24d1f893eaae69\r\n431fc223b302150ef2ab549c9ae8f96cb964a73aa1a860279d2b0f9039f09e2e\r\na4574b3df09d3c62d780693e71031a8d5d656ed933dbc07be8175249cb7ccaca\r\nd532c5f614b296600b5e59d8c740d370587809abf3457871ab25e02d310b05a7\r\n82bf73b30c2c8cdf1d99325820b93f2564e82960154e19d6108b168de0d0999a\r\ne350dc55f61eda0a7372fb5bbf35fac6d8c928912f3bef75efeaca7c1338093f\r\n9e22fe08d2543952b8939f3f830870e46ceae0443bfb316bca4896d12a20b6b1\r\nba10cd8c7534e6b6f15976c68f85532bc4a95522b1ff9255372195aa4ecafd28\r\n07c27522de40dcf482c9259090f56cb17f512295a0c63de8e7394b3aa593b0f0\r\n6abe974c807a03f81ad3e7ba7ff7695b30c450733533ff9df733c3050e74a368\r\ndd833d5a522abd6748ead5ae9c5ca329b5c26822fcc9dd00a4103a43705ef328\r\n2a530e56076897ed6de33554b350bff9825e663b28d67a6417ba17740860a2db\r\n7dac6ed39734927d545eea3f06a368dd3bfaea1da5a633de0c7ea25f30aeabdf\r\n5b37a1144e92a20c2d7c44d1ee896be8635d56d7b03a74f0e89e13e69f63e343\r\n66336920db1c60ce7286790473defa5b9ffd9a91116a5d0a91e4a968f5270f76\r\nafac99afaf3298b8663e52effad48a8229f8b89c5b36700e70f1b008c73a0ee5\r\ndf172da36e208dd34c6e31f9c6d1ec6ebfef32a5d97bfa181320a9d016d6774a\r\n0fd954e54d9cff03a150eb2828cde9eb5b757562729bcb37a14722e726ae5f72\r\n48cd5e774c0bcb6ad8cac3a8b8aa4c984f2bae9ecc42a380fb3643c120887a3d\r\n163038221270cf4f0064c2306a1ff8ec82dc17201fd595d10126a564c97e9028\r\n22fc6213f13e03dea792a3a47b633db52de542af2cdca54023dbe816ea49191e\r\n43dc6e53483d76b6c212e5deb527cf67bf88ce8a9e0b0e0f25511a2c74a9242a\r\nd2d1f0e2848ad5935be0a22a484f96c6bd5ec6c0900f1fc304e315e98ebedea1\r\n40cd43e05916077d5f7d6b95f103eb9c9d93b132a10dd9f06c7c933742525be5\r\n6ae4342e2f3dfe7ffc4febb57faa60c4fede8412708af4e42c72f28788be98f5\r\ncf0287add7f389a8e02c1dec44101cdb3db67fd139c71f64c2cee4114d828990\r\nccd8d51b0658282a2a676b80bd0a210bf9462d15f5e5414099ecde5c6a22028b\r\n0568a2a26842ea0820f466c54a354400a3331569ee0d58186affaa2b937788c0\r\ncd576dc0140033a55423992f1a08f06e8db94e6bcc8646dbeb81b9094c51c541\r\n9a1b02896e7d7175cfb76573d30ae178b3943d6f45043ee3e572b6db3c8fa00d\r\n30854cac5deb9c3baf91597e65f804369d0ad2f962ffa462464bf9770a99241e\r\ncb3e71a91e832a6b4c82a3c4a993f89d2285e0236aea0dcb99c475eaa7821458\r\ndc06077246fdbe9d0589bd1bbf4b691eb14d1dc036fa845c4d9ceae8301c117c\r\nd641fc39cedcbe816b6a4b602990a87ce6184a27f62d0d37839c9a7ae02e6630\r\nf6311d5c398e7d530e045e24ea67a031a7d9f30e05a8e7646eb239b9aab36527\r\n0211df6bbf16b28941a3af808bfcf2fd3ad00cac120ce778acc09a4997b7734b\r\n12c0024b55da926aa0b87158151687ddf94e9f1f65d80c9e121d718cb2559c96\r\n1f7b11abf5ca8e96939a5a8ac3d1dcfff352ea10c6f48b3685c25157146ff414\r\n5eac7c9ade0ecc246d7b240970f877f760e1bd0f651b954afd3b3a8d7c29597f\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 17 of 24\n\n1603e2a2876c467cd4001bc8dc333f8f3ceeac4adbf6a1d14919bb5a363a043f\r\nd16b637a27aada1e281d59c664f08db031128fecd95ca199bc7b11e5541d9ebd\r\n0afaeaa3eee2f90e6fbda2322a65376dd977bd529c0127d6b309a56122ba63bb\r\n4e5d0b9f0608e3cb29e89e3765961299df7cfcd03a1ea2dcd15c36bc28bebb0c\r\n4e580427fed51a485cbeb1f28af5109890835080340df0ca9c41aab4dc6f3910\r\n826deb513651c2cb043414f05ab54aa325624c6b45b9a59812c3c0b81a5e3eb0\r\n7c7ed1b8a8b8770e1be9c1f57f20d8549dfcbf0c1536fd52838223ebe0634629\r\nba28291deccc65ec836ebb6fddc78a6d3055a0a5038ba8c482b57fe23c118b81\r\n72ccba5f360b40df9bd99450b2884b807c86a0274c5f014ed3bd0c37723d958c\r\n1a337eda126f8acd4a41017b415ab40ce3d57a93902588cde28a175b20e30319\r\nb6d3e9a27e92a491e1e9eee2f6d9ccaa237aeb613ae6698e1bfbe92ac2d7fdb0\r\n7120645bacce8dd3788f10bcd73c4cb9784ad1a63e4ba47fdeb76685d94f7720\r\n167cc6c5234be4a3646dd631f54b5c4ab139cabb6ec17d9a6de29bcabad35a8b\r\nc05310b5ee57a6f43501038599bd7ae3339db5d4a5d6d192d3abe0a75d5453a0\r\n27cfd54b60d26b35cec236c929c6144dfaeb26625044d42a517d159ca692690b\r\nedca3cfd7dcb6fc2abfb897de63fb2fea656662909daf4172e7b53e8d63b04f3\r\n36d9e50c4566c33ef5a733f8e0e1c91caff39beb0309fad4962e9e83ed2a7d27\r\ne7d9ebb6f77e57c87d80009cce9bc2699cd936984ba1a11ae3c1b9c9648616f7\r\n26e6622a2594eec320b3a8e8ce64419875fa10012832e08ebd10fa1daaebc3fb\r\na9cd113410373d17d43a07196aa44c5241fb1025eda7eded2fb879ef3bd116f5\r\n02de544313e1bc1a833b10a75c55544a0ab89aa2f370ace2581df34366d11387\r\na26637423d6d9966b60be227e76ebe2940eb33b7c05bed1370db7bf33bca6ca3\r\na636a130d67d22141f1b1fad4eaf23b8cdbaf249ff2866bed526d32a344bb083\r\n94cd891f8e4391c1d5f7cc8362661b0072f55a8f528592435752178ddcf5873e\r\naddf28bba19123352ce84c8c0c3d5a66e084abf83bba39fa0fdd9f29011c36b8\r\n9fa7ee1ea42aafc852ae8365de35d61230cc2e0b17ce3722aa04fc9b41682b23\r\n28bb8c1efdd0989d8f9620168e36d7da47353e84473d39c9c08c97611d7ac615\r\n0fcad5fd8a8ba4378fcc40028ea1db3c70fffb1c677b3ed7c26961dd303719f0\r\nae417734d63a46fbdf5d1959edafd0993d4292d3b3e9f938c0a13af0fbea59c5\r\n28d86ccddda6b39f8f86beefee4ff88e37141d1d7e97683b7d17ebf31b3b6dd5\r\nc71409c61c19f436887805a6057609557eb59dab3e59e8405bc6b20846da1489\r\n4262b95be790d57f0e6b592e0bfd332ba031cd704d511d160be00c348242b6b7\r\n496c6e768c20801f3658846f0367e7ddb220cb84cd6db53d6522c95bc57258ae\r\ncfc6fcb4b0072aef491c9070761edd4b89fec0b79ec33d71800e7e6ed38f6dfc\r\na048aafa6380255633e7421d6db457dc799732973f81fd0bc9228320362df8d7\r\nfa599c8c4d14783eaa8950185334f5a501123ccc6546e6836c71bfb37d2c0af6\r\n74526152bd398ee424643d0242de63d60354acc2b453fe805250a6001a0a33c6\r\na918085c5c71a4beed1cf47e1ca00bb23a72a3350c5406010138e21f33ff0c9a\r\n54fd9624a65ad212b547b4ab03a531eb9a0fed2dfe45d7e04ed63ca6d84aadee\r\nc21ec9caf79781e0af6fa4288cbe146823a812f403eb7a2559d2cae237c86c01\r\nefde647b19f5097b4cd0cbadac81b764b7f08a6b71172a87754f5eaee565d067\r\nf795e0df13b946a32762b5a868ee315a7a64abb13c5ee6dd4309c529a7a3c0ad\r\n8288d98084d63d1c0955d2393540c8638adadca7befedd5315e0cb3bd92be3fa\r\n599aa97a88dec66247bc7c7fa56af9d40af02348b11d0145413c6a5bf81127bd\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 18 of 24\n\nd6f568e0449d3b37956b57afbe50d03c306ffa3d03739b5a3150117f3a0ffa7d\r\n96bbfa260f42d963aae7192350a4672c44c8a6f53f85e69c50f6be75330cc3bb\r\na75de07040a1964831d700ae58900c2627c2abeab0d47ca4f35b6493d2236edc\r\na8846d5c1f2f5ffc4e691b70ecfb52c2ca8f969bb4104af86767d70d1864d006\r\n4bfa4436b762792f553bc8680d0c08055c664d748b518a3ae27e8d228cdab9b0\r\n410a33a87f3b3ae2977cca9cf3d108b34470fbf3e2dd7aee8ef8257023626e63\r\ndea438d81028ffa613e4560a4f4b629b47ff7e3430ca87be73d244ecb7410919\r\nc847fad633ed6e33fc20e4d83344387515020bd433c82b35118eb891441556c3\r\nccd3c41132dfd723da71227764f6f2eb39caa63c4946076ec7c2e4b28d7bc4e6\r\n3268ea167a491705341345dcbf621a0c3753946cbdcf27c0f7e8c95be9f99071\r\nb4ea137b2c76086ac95cd611343a52eaf30fb88f1876abaf3e78052fc9bdff10\r\n02055d297c81a1af042848b13984e51195dad81b70e75d0efcdffa7cbacdd74c\r\nb1d045630bd96d6a9c3cd691f087476e421576bd7d4b1a2a122d15b73afea2af\r\na90e598064921b213363409fa3a1684b971cdf4d6966dbf2ea1cca6c07e9d720\r\nb92bc3dfff4c31cc9d4eb49209202abf788934c0f039d9b336c503c3cd3dce79\r\n9d7cbd256892ade8613645579d6e7f2a2ea9c69635a09200da2034b80c12de35\r\n4d671ed2e3ecc2998e1d0386abc65efec88704209c1ddb791c9fcf28c2266120\r\nd36ebb7d052c7db80705bd3dc6934ef4ef5e73d5b816d694b884ca7ffbb095a0\r\nf27cd021ba45e3b1070a380fa6be2204cebbdf98ae6d38d90560b1f1bb6c0195\r\n44e548e4357c177cd25326bda4c73995318d75a8262a5ab057055e41a9590e9d\r\n8b34aa38c0fc54efc5ab45dce32e91ff8aafd818b95f456811cc06fd762e292f\r\n6b05abbd54e10588edabad558d1537e9ae33ea53d5b9a01d140fcae59bf01c3d\r\n5724a1b987ba86a5d6368f9dd56bdf314540a763ebdd32c6381cfbd6e5a64f78\r\n2dafd2ad43889b2a705f2f0bf5cd12ca8e8b654d80e9dd8256374ff40822ac96\r\nf581fbaa3fc8bfef63fd13797e0746bdd825060ab0761d2fa4d7c2ca31223740\r\n564b5a2e9fd372f20c409dbc1b3aec5e0506f6d5584d07949e5d0f70fde6e3fd\r\n82a54e9624d8b7570de6085c08af2916923d3c76169d3b257110bfc4501b96d5\r\n41bf15434e1b417692edfc46395b0ca867b7af0a99f42256760c9de92d1a7d1d\r\ne05a7f196677431b29e58a910d03fbcd8afc054c8be8ece62782e5f905a4225a\r\n1f55c36cc81e6a4491c01a78163e5d3c1166ad2fd700fd7e3472c41d19350131\r\n6dce40f7b700d7b2c7fc2e2d7666754a692b35268c2a79a36f6dae1704cb1cfb\r\n7740945fe6c717d3e6d0f2473cc5a69e8f027969165044597bbc959cb7f4505b\r\n0ce39f1564d817647ebc1f8e1ed66b7df94c2fc12b1aabdd7d7f8ceb89abef87\r\ncf0da0926e3e734813c8d7e8eaea3e1082fbfd1321aa654f21b70b2de2633ff0\r\n4c1580ca08bca547f3458c6a6a57e17c7842f754515d0cd7112636cf9d4b1da6\r\nbfae9c954fe53a2841a6ee5d1bae41ac746cb40ac3863afaa18446c2eca25bfc\r\n71d9b246a961b4c5a88bca69910267c8402cf8dcc8a41c288cb6383b9fd20a30\r\n0fe917ee75680166ced62313c2679252969cdf350313cf961933465e7e8c85c5\r\n8c6f9a15ec399171f965c82efbda3235364264727e3a8eb65ec7e6491f5821d2\r\nf67ffc995309c458a1490ff113b967579e61351427b9fc08c06e30f1e1a5958f\r\n71a3143a5cd51b0fb9a04dbe1a48fd77187cb35b8765547d6698be6c76b2c07d\r\nafa97871504f1c6f966ddaecfc53d03dcb7909d58af827f1484f4afea2ad3e1d\r\nb080bb6cff4fad92aea207c796593b762c7f862734760f6642389ff0a2f3b073\r\n73e58cd519d83f35d258d53b0647debef9dba13fa50c37fd92040879b2f2ebf7\r\nadc8dd774eb2ff5416d63db4343e91790f2eb8a1b4c576c801823a07d0af0e72\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 19 of 24\n\n43d991a52197fa8555d39f734fa32c242585b3afe5da13fa48404bde475df504\r\n2f52f49e82a127a765c216d14196adf49850ab2080b10b66cd3eff7d2953559d\r\n742590370b47e4fad64c9175e1c49ae3893b20c181ed7b74658eebb8c805aeff\r\n005009f648b54788f8bbb721e2f23967fe2af90d2026e5e4119de5ebb31789a5\r\n6188672da2b8a1d0eece3a6ac8e0a173b0d649ade5210863c953fae1638c2790\r\nd55aaf6ab1370df0475d45db30e554c56ecad843b1792a6ad915ea447dc0079d\r\nd1dd5e50e27d9a1f919fe639d30a6c3db96b183db8c9886fd13e77bd7d8971ea\r\ne572e0fd2f7e21a40bd1a134f9884899cdd4e6feb263e8beb258766477555ebd\r\n3127aa365225cb3f6c0041b938f76a87232f06b50d2119ba32c05472bba79fb6\r\nc2bf872839700c70eadd365ee25a26203c053ed168c6db6f9443de699716bca7\r\n0b3dab65bb0881041b4c31b76ef01e94ec6969880d973b4ce6147c886558786b\r\n74d7103af954558ed9c08b53d38c09bf32f725182375484fee17127d68a9ab56\r\n785ae716d6c21bc923a8e1d5b79a2b230495b1356b1aa83105fa05dbf90fd0e7\r\n8da62baadb46e347059b17f5c5b2a0be83ed6f26d0245ab41e43ad06a0f7378d\r\n49d3b494705d8a12ea228525d875079e37f4b3f288c6348171d47d87957be408\r\nffef43af1d87b9e85a61aaa0c1a13bae19f9ef6b65ca3311ca9d921b53e93f86\r\n0d8c29a3bf21564de8bc1760bc8fc9b1367b7a43c01e8ac7f6a6cdcc47f9e02b\r\n68bc130a2e29dc9fef07cf2669e29528549ceef0207284b8bc637daa5efff9c0\r\n791a6ba9fdfff71cc22e0a7e0a81c08b53e4aa0e9ffdb429851f7df09bf3aed8\r\n10f3b8ae627e719320def4cfa77f174f5a03b42192da27628ef17a3499f860bf\r\n1a6062a97efc0d08c6198d0ec0ad84fa74e7b18422b2c1e05762a5c25793a46b\r\n40c0b6b59272d8b458c4a10159572e2dbfc932991eb7d294b74ec6e1af2f6f8d\r\n9dc4d8eb8243e48218668dbfc4565a893e74a25c23d2bb38b720a282c24fbe02\r\n0ab18cf4dc2292f9cb6e56f7db2b3c8dd782e4e9343f49a67f44e0015fafdd17\r\ncd0aeaa018ad11e56de0e53f8c13df4e1ffe30e4ac2b3bc2e11851c2789b708d\r\n0a0964b33576a8e99a0c7e83034ccdca7e6b1062a3cf47fec002a47b27b3a431\r\nb3684ae83329777d7d560e88f16fb8cccc34245bd47e624412749048e861db4f\r\n5d10626def63b4c2c0751a7a745e097a33d8a24e84855eecd4ff01048c0b11d2\r\n05e90bfeddbe5ba92e9d8c486728f74be4b3f0ab6050af38163d675cc067219d\r\nfa40ac3d37f98d19e2e3a850a753a6ff68ad884a8fbc598feaf460f2854782ad\r\n355f251f272603bb08cb97ca48dcdf3e30f5d33013e5fefbb35442baee87550e\r\n6941e8a0bce0425597e7de0626466eaf44700dafdaa602165c321f3ffab68899\r\ne73444fe6116d5875630ede150c33fb4fe5fd538288b021d6d271f2622f7771b\r\n9871526350bbf79a6c1884e1644087137cd874e401b6c5182ecf6ddd9a229aea\r\nc90c0dfcba9219b3e1923bac0b11e241482d2f260ef667a611e61af07f1f4319\r\n9a758307569dbd60913f2b710bbe0b2948dedd9c49a077aa584591b4a4ba49f7\r\ndc84392afac92536dc25e351032635f08c8cad3a8356d19d0f39f3873e00da4b\r\n670c87a77a327e0f9558931e2b4c9d2e892220d28ab4e81ecf15fea3d4d2a7e8\r\n6a7e26f57b6fb0b294ce689f822de935b8204c07e7442dd05b5d101da1df442b\r\n7cd1b1fa4fb1feb80c2ab809544b80e99b717b6c6f1720a4b586fe17358dd333\r\n8d85e178732398fe6dff67716879c957fc13a0aac6366340f7d21a635b50516a\r\n7b3c52a8422ad139627ac1bd2402d259f256863e253f1ee177579148a0820e53\r\n35dd7275391128218e1280e1be04c4508b43055f9b6e35f3999c1bf2506ac824\r\n15a3175f0097386f617c33fb2552dc8e5972055bb4ff99ef8532763e248543b7\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 20 of 24\n\n40b46a3d38c80a4bb4a2b0a3eeaa6e420ff6d180a51f43121955ca1a05695b05\r\n41371f62de279d71243adc0e7dd7576007c2c4facff16def41c82fe638cb6fbe\r\nc9777c64231161b8e3d941d6ea37d081c12cef830cbdf92fcb245a8f29ccd8e0\r\n5801b9c635f36eb82f154e3c349bfc30724c4f3334ef8ea1e5fa20b5d022592b\r\nd4fa8743874c2c1c3b2b643f54470a5d2f72a7a400a04cd7e36f5ee6ad7a907b\r\n94b0bda42e7d1e01bf0b832742526d1975c7f211440c646c54ef58c5d7a8fa06\r\ne83be4a374a989296bb511167ec20361454b758f5b001ea4f03393b1b56669d9\r\nC:\\Users\\dell\\source\\repos\\WindowsProject1\\Debug\\WindowsProject1.pdb\r\nC:\\Users\\dell\\source\\repos\\WindowsProject2\\Release\\WindowsProject2.pdb\r\n81.68.122[.]239\r\nhxxp://81[.]68.122.239:443/1Pfu\r\nhxxp://81[.]68.122.239/Rbs5\r\n101[.]114.114.114:9002\r\n106[.]120.215.202:8089\r\n106[.]52.119.45:8081\r\n107[.]175.172.101:8081\r\n111[.]198.172.129:8089\r\n113[.]125.92.32:8081\r\n114[.]113.238.83:9000\r\n114[.]113.238.84:6523\r\n114[.]247.91.205:8081\r\n114[.]251.223.84:8081\r\n115[.]236.55.14:11111\r\n116[.]236.40.57:8081\r\n116[.]54.125.202:8081\r\n116[.]6.102.21:8081\r\n116[.]6.102.24:8081\r\n123[.]60.8.91:8081\r\n124[.]193.100.170:18081\r\n124[.]193.100.170:8079\r\n124[.]207.115.69:28081\r\n124[.]239.137.136:8081\r\n124[.]250.18.111:8080\r\n129[.]9.99.60:8081\r\n145[.]0.20.133:8081\r\n145[.]0.231.36:8081\r\n168[.]63.1.206:8081\r\n183[.]196.0.25:8081\r\n183[.]196.83.220:8081\r\n183[.]6.106.176:8877\r\n183[.]6.50.76:8081\r\n185[.]185.185.56:8081\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 21 of 24\n\n19[.]129.255.45:8081\r\n202[.]100.20.88:53961\r\n202[.]100.229.104:8081\r\n202[.]107.201.3:8081\r\n218[.]22.14.11:8081\r\n218[.]76.15.13:8081\r\n219[.]238.141.242:8081\r\n220[.]168.209.150:8081\r\n220[.]248.243.82:8081\r\n220[.]248.250.19:8081\r\n221[.]195.106.200:8081\r\n221[.]195.106.200:9090\r\n222[.]85.157.82:8081\r\n36[.]112.11.14:8081\r\n47[.]93.253.22:8081\r\n58[.]240.32.125:8081\r\n58[.]49.84.64:8081\r\n58[.]49.84.65:80\r\n58[.]49.84.67:443\r\n59[.]37.29.163:8081\r\n60[.]3.88.11:8081\r\n61[.]130.180.110:8081\r\n61[.]144.203.171:8081\r\n61[.]178.243.162:9009\r\n88[.]1.46.128:8081\r\n88[.]1.46.214:8081\r\nMITRE ATT\u0026CK\r\nT1003 Credential Dumping\r\nT1041 Exfiltration Over C2 Channel\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1112 Modify Registry\r\nT1203 Exploitation for Client Execution\r\nT1204.002 Malicious File\r\nT1204 User Execution\r\nT1566.001 Spearphishing Attachment\r\nT1566 Phishing\r\nYara rule\r\nrule hz_rat\r\n{\r\n strings:\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 22 of 24\n\n$x_mutex = \"91E99696-92CC-43F4-99B0-774D80BDAA6B\"\r\n $x_pdb_path_2_8_2__and_2_9_0 = \"D:\\\\WORKSPACE\\\\HZ_\"\r\n $x_pdb_path_2_9_1 = \"D:\\\\WORKSPACE\\\\HP\\\\HZ_\"\r\n $x_pdf_path =\"C:\\\\Users\\\\dell\\\\source\\\\repos\\\\WindowsProject2\\\\Release\\\\WindowsProject1.pdb\"\r\n $x_pdb_path_short_part = \"hp_client_win\"\r\n $x_wrongly_written_error_msg = \"instanse already exist.\"\r\n condition:\r\n any of them\r\n}\r\nrule hz_rat_aes_packer\r\n{\r\n strings:\r\n $decryption_body_747 = { 8D 44 24 1C 89 04 24 E8 84 ED 00 00 E8 DF DE 00 00 C7 44 24 08 10 00 00\r\n $decryption_body_748 = { 55 89 E5 5D C3 90 90 90 90 90 90 90 90 90 90 90 8D 4C 24 04 83 E4 F0 FF\r\n condition:\r\n any of them\r\n}\r\nOne more thing …\r\nReaching the end of our analysis, we noticed that many C2 servers we previously identified provide current or\r\neven unknown samples of HZ Rat.\r\nThe samples are provided in general under the following path pattern:\r\n\u003cC2-Server-IP\u003e:\u003cC2-Server-PORT\u003e/\u003coriginal_sample_name\u003e\r\nBased on this pattern, we identified the following servers providing HZ Rat for download:\r\n106[.]120.215.202:8089/default.exe\r\n114[.]113.238.83:9000/default.exe\r\n114[.]113.238.84:6523/default.exe\r\n114[.]251.223.84:8081/default.exe\r\n116[.]54.125.202:8081/default.exe\r\n116[.]6.102.21:8081/default.exe\r\n124[.]250.18.111:8080/default.exe\r\n218[.]22.14.11:8081/default.exe\r\n220[.]248.250.19:8081/default.exe\r\n222[.]85.157.82:8081/default.exe\r\n58[.]240.32.125:8081/default.exe\r\n61[.]144.203.171:8081/default.exe\r\n113[.]125.92.32:8081/default.exe\r\n116[.]236.40.57:8081/default.exe\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 23 of 24\n\n220[.]250.20.68:8081/winIogon.exe\r\n218[.]65.110.180:8081/winIogon.exe\r\n220[.]248.243.82:8081/default.exe\r\nPress enter or click to view image in full size\r\nPicture of us heavily uploading HZ Rat samples fresh from C2 server to VirusTotal.\r\nSource: https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nhttps://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2"
	],
	"report_names": [
		"hz-rat-goes-china-506854c5f2e2"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bc28712394f1ed327b97326f17a0727fe150ae1.pdf",
		"text": "https://archive.orkl.eu/7bc28712394f1ed327b97326f17a0727fe150ae1.txt",
		"img": "https://archive.orkl.eu/7bc28712394f1ed327b97326f17a0727fe150ae1.jpg"
	}
}