top of page
Search

Your Dream Job, Sponsored by PureRAT

  • Writer: FAIR INTEL
    FAIR INTEL
  • 10 hours ago
  • 15 min read

December 16, 2025

ree

Synopsis

The OSINT describes a financially motivated PureRAT campaign that compromises Windows endpoints through recruitment-themed email lures, where victims open compressed “HR” attachments and execute a disguised Foxit-branded executable that initiates DLL side-loading, runs concealed batch and Python staging to deploy a RAT, establishes persistence via autorun registry entries, and then steals browser-resident data to enable ongoing access and monetizable credential collection. Strategically, this shifts decision making toward treating hiring and job-seeking activity as a conditional risk driver, prioritizing governance and investment in controls that reduce exposure during high-attrition and high-hiring periods; operationally, it requires tighter coordination with HR and recruiting, stronger email and endpoint execution controls, and monitoring that correlates attachment delivery with suspicious process chains, autorun creation, and outbound command-and-control; tactically, it favors rapid containment playbooks that isolate endpoints and revoke credentials and sessions when browser theft is suspected. Overall risk posture worsens where organizations rely on user judgment for attachment handling, allow execution from user-writable paths, and have limited visibility into DLL loads, scripting activity, and startup persistence, while stronger application control, EDR telemetry, and email filtering materially reduce susceptibility. Financial resilience is pressured by recurring incident-response and recovery costs, productivity loss, and the potential for secondary loss when stolen browser sessions enable follow-on account takeover or unauthorized access to connected SaaS and enterprise resources, making prevention and rapid detection economically preferable to repeated cleanup and downstream impact management.


Evaluated Source, Context, and Claim

Artifact Title

PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading


Source Type

Vendor cybersecurity research blog post


Publication Date: December 3, 2025


Credibility Assessment

High credibility: the write-up is a detailed technical report from a known security vendor and includes an explicit attribution correction with rationale. Some campaign-scale details (prevalence, victim counts, success rate) are not quantified in the excerpt.


General Claim

A malware campaign attributed to PureRAT targets job seekers via email lures using archived “HR documents” that drop a Foxit Reader–branded executable for DLL side-loading, then runs batch/Python staging (including base64-downloaded loader), sets persistence via an autorun registry entry, and steals browser data while communicating with attacker infrastructure.

 

Narrative Reconstruction

The OSINT describes a financially motivated cybercriminal actor operating a multi-stage email delivery campaign aimed primarily at job seekers (and potentially HR staff) to compromise Windows endpoints; the method is a killchain-like flow using social engineering through “recruitment” archive attachments, masquerading a renamed FoxitPDFReader.exe to trigger DLL side-loading, then executing hidden batch and Python-based staging (including downloading base64-encoded content), establishing persistence via autorun registry entries, and ultimately deploying a remote-access trojan that enables monitoring and theft of sensitive data (notably browser-resident information) to achieve ongoing access and monetizable credential/data collection.


Risk Scenario

Risk Scenario

A financially motivated cybercriminal actor targets individuals involved in hiring or job searching by delivering socially engineered messages that induce recipients to open compressed “HR/recruitment” files and execute disguised content, leading to installation of remote-access malware, persistence on the endpoint, theft of browser-resident data/credentials, and potential follow-on unauthorized access to connected accounts and organizational resources, resulting in response and recovery costs, productivity loss, and possible downstream fraud, data exposure, or regulatory/reputational impacts depending on what the compromised user can access.


Threat

A financially motivated malware operator distributing PureRAT via targeted email lures to job seekers (and adjacent HR roles).


Method

Send recruitment-themed archive attachments that masquerade as HR documents; execute a Foxit-branded executable that performs DLL side-loading; run concealed batch/Python staging that downloads/decodes a loader; establish persistence via autorun registry entries; then use the RAT to steal browser data and enable remote control.


Asset

End-user Windows endpoints used for job seeking/recruiting activity, associated local files, and browser-stored data/sessions (and any connected SaaS or corporate accounts reachable through the compromised device).


Impact

Unauthorized access to systems and data, theft of browser-resident sensitive information/credentials, potential downstream account takeover, incident response and recovery effort, and possible business disruption if compromised endpoints bridge into organizational resources.

 

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.


FAIR Breakdown

Threat Event Frequency (TEF)

Because the OSINT describes a repeatable but targeted email-based malware campaign rather than measured global volumes, TEF must be inferred from targeting logic, delivery method, and organizational exposure characteristics. TEF is best modeled as low to moderate and highly conditional on workforce attrition, hiring activity, and job-seeker behavior rather than as a flat rate across organizations.


Contact Frequency (CF)

The campaign uses email-based recruitment lures with weaponized archive attachments, not scanning or indiscriminate mass phishing. CF therefore depends on the size of the exposed population within a given organization rather than overall internet-scale volume.


Probably of Action (PoA)

The actor is financially motivated, seeking credential theft, data exfiltration, and persistent access via a RAT. Browser data theft and persistence mechanisms indicate clear monetization and reuse intent.


Threat Capability (TCap)

Overall TCap is moderate to high, reflecting competent but non-nation-state tradecraft.


Exploit sophistication: Moderate. The attack relies on DLL side-loading, batch scripting, Python staging, and base64-encoded payload delivery rather than novel exploits.


Bypass ability: Moderate. Masquerading as Foxit Reader, abusing archive formats, nested directories, and renamed binaries bypasses user scrutiny and some basic controls but is detectable by mature EDR.


Tooling maturity: Moderate to high. Multi-stage delivery, persistence via registry autoruns, and browser data theft indicate reused and tested tooling.


Campaign success rate: Moderate. Success depends on user execution and attachment trust; historically such campaigns succeed against a meaningful minority of exposed users, especially during job searches.


Attack path sophistication: High. The attack path begins with a recruitment-themed archive lure that contains a disguised executable, which abuses DLL side-loading to initiate execution, then runs concealed batch and Python scripts to stage and download the payload, establishes persistence through autorun mechanisms, and ultimately activates a remote-access trojan on the system.


Cost to run attack: Low to moderate. Infrastructure and tooling are reusable; primary cost is email delivery and lure creation, making the campaign economically feasible at scale.


Control Strength (CS)

Typical user environments have mixed preventive controls; social-engineering–driven installation indicates weak human-layer resistance but potentially moderate technical controls.


Resistive Strength (RS) Effectiveness of preventive/detective controls:

  • Email security may block some malicious archives, but can miss well-crafted recruitment lures.

  • Application control and EDR can detect suspicious execution chains, DLL side-loading, and autorun creation if properly configured.

  • Network monitoring can identify anomalous outbound connections and suspicious TLS characteristics.

  • Overall, RS is low to moderate, varying significantly by endpoint and security maturity.


Control Failure Rate

Gaps, weaknesses, misconfigurations:

  • Users execute attachments that appear to be documents.

  • Insufficient restriction on executable and DLL loading from user-writable directories.

  • Weak monitoring of script interpreters (bat/Python) and autorun registry keys.

  • Overreliance on user caution during high-stress job-seeking periods.



Susceptibility

Given moderate-to-high threat capability and uneven control strength, susceptibility is estimated at 30–50% among exposed users within a typical organization.

Probability the asset will be harmed is influenced by:


Exploitability: Estimated at 55–70 percent once a user executes the malicious file, as the chain is reliable post-execution.

Attack surface: Estimated at 20–40 percent of users in a typical organization, increasing during periods of active job searching or recruiting.

Exposure conditions: During active job searches or hiring cycles, susceptibility may temporarily rise to 45–60 percent due to urgency and trust in recruitment-themed content.

Patch status: Low impact (0–10 percent mitigation) because the attack path relies on social engineering and execution rather than patchable software vulnerabilities.


Numerical Frequencies and Magnitudes

All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.


Loss Event Frequency (LEF)

2/year (estimated)

  • Justification: For a representative moderate-exposure organization, employment-themed malware campaigns generate a small number of meaningful contact opportunities annually, but those contacts recur consistently during hiring and job-seeking periods.

Vulnerability (probability of harm per contact): .35

  • Justification: The attack depends on user execution of a disguised attachment and subsequent staging;. At the same time, many attempts fail due to user caution or security controls, the layered social-engineering approach yields a material but non-universal success rate.


Secondary Loss Event Frequency

0.6/year (estimated)

  • Justification: Not all endpoint compromises lead to secondary misuse, but browser credential theft creates a meaningful chance of follow-on abuse.


Loss Magnitude

Estimated range:

  • Min: $5,000

  • Most Likely: $25,000

  • Maximum: $120,000

Justification:

  • Minimum reflects endpoint rebuild and basic IR.

  • Most likely includes credential resets, broader investigation, lost productivity, and security labor.

  • Maximum reflects extended compromise or sensitive account access via stolen browser data.


Secondary Loss Magnitude (SLM)

Estimated range:

  • Min: $10,000

  • Most Likely: $75,000

  • Maximum: $300,000

Justification:

  • Secondary losses include account takeover, fraud, unauthorized access to connected systems, legal/regulatory handling, and expanded incident response.


Mapping, Controls, and Modeling


MITRE ATT&CK Mapping

Initial Access

T1566.001 – Phishing: Spearphishing Attachment

Reference: “One common entry vector we’ve observed is email-based job lures… Archive files… are deliberately crafted…”

Execution

T1204.002 – User Execution: Malicious File

Reference: “Upon seeing the Foxit logo, most users would assume… might not notice that it is actually an executable (.exe).”

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Reference: “The batch file, document.bat…”

T1059.006 – Command and Scripting Interpreter: Python

Reference: “Following extraction, the batch file invokes the Python interpreter to execute the malicious Python script…”

Defense Evasion

T1036 – Masquerading

Reference: “renamed version of FoxitPDFReader.exe… uses the Foxit logo as its icon to look more convincing.”

T1027 – Obfuscated/Encrypted File or Information

Reference: “an encoded base64 is downloaded… containing the Python script…”

Persistence

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder

Reference: “creates an autorun registry entry to make it persistent in the system.”

Credential Access

T1555.003 – Credentials from Password Stores: Credentials from Web Browsers

Reference: “The attack steals data from the user’s internet browsers.”

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

Reference: “certificate… commonly seen in certificates used by PureRAT SSL… part of its secure communication.”


NIST 800-53 Affected Controls

AT-2(3) — Literacy Training and Awareness | Social Engineering and Mining

The campaign deliberately exploits job-seeker psychology through recruitment-themed email lures and realistic HR documents to induce users to execute malicious content.

Reference: “Because job seekers constantly watch out for new opportunities, they might download attachments quickly and overlook warning signs… The emotional strain of the job search can reduce caution.”

SI-3 — Malicious Code Protection

PureRAT is delivered via weaponized archive files containing a disguised Foxit Reader executable that performs DLL side-loading and staged malware execution, directly challenging endpoint malware-detection and prevention controls.

Reference: “PureRAT targets job seekers… disguising itself behind a weaponized Foxit PDF reader and performing dynamic-link library (DLL) side-loading to gain a foothold in the system.”

SI-7 — Integrity

The attack abuses the Windows DLL search order by loading a malicious msimg32.dll alongside a renamed legitimate executable, thereby undermining assumptions about executable and library integrity.

Reference: “Cybercriminals often abuse .exe files to exploit the Windows DLL search order mechanism for DLL side-loading.”

CM-7 — Least Functionality

The campaign relies on the unrestricted execution of batch files, renamed executables, and embedded scripting environments (Python), indicating excessive functionality enabled on end-user systems.

Reference: “The batch file, document.bat… invokes the Python interpreter to execute the malicious Python script… even if Python is not pre-installed.”

CM-6 — Configuration Settings

Persistence is achieved by creating an autorun registry entry, indicating insufficient hardening and monitoring of system startup configuration settings.

Reference: “It also creates an autorun registry entry to make it persistent in the system.”

SI-4 — System Monitoring

The multi-stage execution chain (archive extraction, disguised executable launch, DLL side-loading, batch execution, Python staging, outbound C2) represents anomalous behavior that effective system monitoring controls are intended to detect.

Reference: “Following extraction, the batch file invokes the Python interpreter… an encoded base64 is downloaded… serving as a shellcode loader.”

IA-5 — Authenticator Management

The malware explicitly targets browser-stored data, including credentials and session artifacts, undermining controls intended to protect authenticators at rest and in use.

Reference: “The attack steals data from the user’s internet browsers… reference Chromium-based browser profiles.”

SC-7 — Boundary Protection

PureRAT establishes command-and-control communications using self-signed certificates and outdated TLS versions, testing the effectiveness of network boundary inspection and filtering controls.

Reference: “These include a self-signed structure, a randomized common name, outdated TLS versions (TLSv1), and an extremely long validity period.”

IR-4 — Incident Handling

The campaign demonstrates a full compromise lifecycle—from initial delivery to persistence and data theft—requiring coordinated detection, containment, eradication, and recovery activities under incident handling controls.

Reference: “Unknown to the user… the PureRAT payload has begun running silently in the background.”

CP-9 — System Backup

While not explicitly encrypting data, the RAT’s ability to steal data and maintain persistence increases the likelihood that recovery actions would rely on clean backups if system integrity cannot be trusted.

Reference: “PureRAT attack can lead to threat actors gaining control of systems, monitoring activity, and stealing sensitive data.”


Threat Model

Threat model from the original artifact as follows:

ree

Monitoring, Hunting, Response, and Reversing

Monitoring

Prioritize email, endpoint, and network telemetry that can observe the full sequence from lure to RAT: ingest secure email gateway logs and mailbox audit logs to capture recruitment-themed archive delivery, attachment types, and sender anomalies; ensure endpoint EDR includes complete process creation (parent-child), command-line, module/DLL load events, file creation in user-writable paths, autorun registry writes, and script interpreter execution to catch a disguised “Foxit” executable loading a sideloaded DLL and then launching hidden batch activity and Python staging; add DNS and proxy/firewall egress logs with sufficient granularity to identify suspicious outbound connections and certificate/TLS anomalies consistent with self-signed or outdated TLS usage described in the OSINT; and include identity and cloud/SaaS sign-in logs to detect follow-on use of stolen browser credentials and sessions. Logging should be set to retain process command lines, DLL image load telemetry, and registry autorun events at minimum, with tighter retention during active hiring cycles; key indicators to prioritize include archive-to-executable execution from user directories, unusual DLL loads adjacent to renamed “Foxit”-looking binaries, chained execution where a user-launched process spawns cmd or bat activity and then Python, base64 decode or download behavior, and creation of Run/RunOnce autoruns. Close monitoring gaps by enforcing visibility into script interpreter usage, autorun changes, and outbound TLS metadata; implement correlation such as “email with recruitment archive delivered to user” followed within a short window by “executable launched from extracted archive path,” then “unexpected DLL load,” then “bat execution,” then “Python execution,” then “new autorun registry value,” then “new outbound connection,” and alert at moderate thresholds when two or more stages occur on the same host within hours. Update dashboards to track hiring-cycle exposure (attachment-driven executions, archive extractions, autorun creations, script interpreter launches) and to trend detections by user cohort (job seeker devices, HR/recruiting endpoints), and validate monitoring by safely simulating the behavioral chain (benign archive drop, benign executable spawn, benign bat-to-python chain, benign registry autorun write) to confirm end-to-end log coverage and alert timing without needing live malware.


Hunting

Hunt with hypotheses that mirror the OSINT-defined tradecraft: endpoints exposed to recruitment attachments may show a short-lived “document-like” executable launched from an extracted archive location, followed by DLL side-loading behavior and a scripted staging chain that invokes cmd or bat and then Python, culminating in persistence via autorun registry keys and subsequent outbound command-and-control. Use telemetry from EDR (process trees, command lines, image load events, file writes, registry writes), email telemetry (attachment metadata, delivery, user interaction where available), DNS and proxy logs (new domains/IPs, unusual TLS/certificate attributes), and identity logs (new device sign-ins, session anomalies) to build detections that focus on high-signal sequences rather than single events; for example, look for a user-initiated executable with a recruitment-themed filename/icon running from a user directory that loads a non-standard DLL from the same directory, then spawns cmd or a bat file, then executes Python with inline parameters, followed by an autorun registry modification and new outbound connections. Manage noise by scoping hunts to users likely to be exposed (HR/recruiting roles, users receiving recruitment attachments, systems with recent archive extractions), by requiring at least two linked behaviors in a time window, and by excluding known-good enterprise packaging or automation that legitimately uses bat and Python, so the hunt surface stays focused on the specific attachment-driven, staged execution pattern described in the campaign.


Response

Collect and preserve the logs needed to reconstruct the attachment-to-RAT sequence and quantify loss drivers: secure email gateway and mailbox audit logs for initial delivery and attachment metadata; EDR telemetry for the full process tree (user-launched executable, DLL load evidence, cmd or bat execution, Python staging), file system artifacts showing extracted archive contents and deeply nested directories, and registry autorun entries created for persistence; plus DNS/proxy/firewall egress logs and endpoint network connections to identify command-and-control sessions and timing. Expect artifacts such as the original archive, the disguised executable, the sideloaded DLL, hidden folder structures, bat files, renamed interpreters or staged runtime components, and evidence of browser data access consistent with credential/session theft; plan for anti-forensic friction primarily through masquerading, deep path nesting, and in-memory or encoded staging rather than explicit log wiping, so rapid containment should focus on isolating the host, killing suspicious process chains, removing autoruns, and forcing credential/session resets for accounts used on the endpoint (especially browsers and connected SaaS). For FAIR support, capture time-to-detect, dwell time, number of affected endpoints, scope of stolen credential exposure (identity log anomalies), and remediation labor hours to feed TEF and LM estimates; validate DFIR readiness by tabletop or controlled simulations that exercise “attachment delivered,” “user executes disguised binary,” “staged scripting,” and “autorun creation” so containment playbooks, evidence capture, and comms triggers are proven before a real event.


Reverse Engineering

Focus reverse engineering on the staged loader and persistence behaviors described: analyze the disguised “Foxit”-branded executable and the sideloaded DLL to confirm how the DLL search order is abused, then trace how batch activity triggers Python-based staging, including how base64-encoded content is retrieved and decoded into a loader that ultimately activates the RAT; during dynamic analysis, instrument process creation, image/DLL loads, registry autorun modifications, file writes in user-writable directories, and outbound connections so you can extract stable indicators such as execution chain characteristics, persistence keys/values, and any consistent network traits (including certificate attributes noted in the OSINT). Emphasize evasion and concealment techniques like nested directory placement, masquerading of file names and icons, renamed binaries or interpreters, and encoded staging, and produce detections from behavioral hooks (bat-to-python chain, autorun creation after attachment execution, suspicious DLL load adjacency) rather than relying only on hashes. If samples are available, add static extraction of embedded configuration and dynamic capture of network destinations and ports, and then generate internal YARA/Sigma-style logic based on the staging and persistence patterns to reduce future recurrence even if the payload mutates.


CTI

Drive PIRs toward exposure and recurrence: assess whether your organization’s hiring patterns, attrition, geography, and recruiting partners increase contact frequency, and track whether the recruitment-lure TTP set (weaponized archives, masqueraded Foxit executable, DLL side-loading, scripted staging, autorun persistence, browser data theft) appears in internal telemetry across multiple incidents or business units; for SIRs, prioritize filling gaps on missing or unstable indicators (attachment names/structures, hashes, infrastructure, and any repeatable certificate traits), obtaining sanitized samples where feasible, and mapping infrastructure relationships across sightings to determine whether activity clusters into a consistent campaign. Collection should include continuous monitoring of vendor reporting and malware repositories for PureRAT-related updates, internal email and endpoint telemetry review during hiring surges, and collaboration channels (ISAC/ISAO) to compare lure themes and delivery patterns, while mapping should continuously align observed behaviors to ATT&CK techniques already supported by the OSINT and compare against historical attachment-driven RAT events to validate or refute hypotheses about repeatability, operational changes, and whether the same execution chain is reappearing under different lure branding.


GRC and Testing

Governance

Update governance to treat recruitment-themed attachment malware as a recurring enterprise risk that varies with attrition and hiring cycles, and ensure policy explicitly addresses opening compressed “HR/recruitment” files, executing any attachment that appears to be a document, and handling vendor-branded executables that masquerade as PDFs; policies should also require that HR and recruiting workflows use sanctioned channels for file exchange, mandate identity and session hygiene when browser data is exposed, and define escalation triggers when endpoints show the sequence of user-launched disguised executables followed by DLL side-loading, scripted staging, autorun persistence, and outbound command-and-control. Strengthen oversight by assigning clear ownership across security, HR, and IT for exposure management, aligning risk acceptance and treatment decisions to RA/PM/PL artifacts such as a documented risk assessment that ties this scenario to hiring operations, program and plan updates that enforce attachment handling controls and endpoint execution restrictions, and risk register entries that capture conditional TEF drivers such as attrition rate, hiring volume, and recruiting partner dependencies. Require board and executive communications to include plain-language updates on exposure periods, leading indicators such as growth in recruitment-lure emails or attachment-driven executions, and treatment status for high-impact controls such as email filtering, application control, EDR coverage of DLL load telemetry and autorun changes, and identity protections that reduce secondary loss when browser sessions are stolen.


Audit and Offensive Security Testing

Prioritize audits that can produce evidence that controls actually interrupt the described chain, and treat missing evidence as a finding because this threat relies on observable behaviors across email, endpoint, and network layers; audit work should validate that policies requiring safe handling of recruitment files are operationalized, that email controls flag or sandbox suspicious archives and executables, that endpoints log and alert on DLL side-loading indicators, bat and Python execution chains, and autorun registry creation, and that identity monitoring can detect suspicious use of stolen browser sessions. Compliance tie-ins should be tested using objective artifacts, including proof of logging sufficiency, retention, and review for high-risk user cohorts, and evidence that incident-handling procedures include credential and session revocation actions when browser data theft is suspected. Offensive testing should consist of red team scenarios that deliver benign but behaviorally similar recruitment-themed archives, validate whether users can be induced to execute a disguised “document” executable, and confirm whether defenders detect the subsequent scripted staging and persistence behaviors; purple team validation should focus on correlation logic that links email delivery to endpoint execution to persistence to outbound activity, and penetration testing scope should include abuse of user-writable directories for DLL side-loading, detection of autorun registry changes, and reproduction of the scripted staging pattern using non-malicious payloads to confirm control validation without introducing real malware.


Awareness Training

Adjust training to focus on the specific social engineering pattern in the OSINT, where recruitment messages use compressed attachments with HR-themed filenames and visual cues that make executables look like PDFs, and emphasize the human failure modes that increase susceptibility during job searches such as urgency, emotional strain, and routine attachment review; training should teach employees to treat any “document” that is actually an executable, any archive that contains an application, and any request to run a file to view job details as a stop-and-verify moment. Provide role-specific reinforcement for HR and recruiting staff who are disproportionately exposed by requiring secure file exchange practices, prohibiting execution of vendor-branded “reader” files received via email, and promoting quick reporting pathways for suspicious recruitment content. In contrast, administrators and power users should receive targeted reminders about script interpreter abuse and autorun persistence indicators that can follow initial execution. Update phishing simulations to include recruitment-themed archives and “PDF-reader” masquerading behaviors, measure effectiveness with click-and-execute rates rather than only click rates, and run reinforcement cycles more frequently during hiring surges; incorporate practical behavioral indicators employees should recognize, clear communication guidelines for handling unsolicited attachments and external applicant documents, and metrics that track reduction in risky attachment execution alongside increased reporting and faster containment initiation.


Indicators of Compromise

IoCs from the original artifact as follows:


ebcfc4f6c6e63b75dc407f5e76c9d96c69c3c1b6

5cb888c87b15ec998c638892ad382dc68efb7f94

65fec70eaca638cbd10a6774e4e67f2d55f63959

9eb12480a9e3be552c88960d45beeacfb3b2444b

0227738e5a98622ea88a2f09527618a6fc4b9be9

9eb12480a9e3be552c88960d45beeacfb3b2444b

0227738e5a98622ea88a2f09527618a6fc4b9be9

37a9972e667dc479bbbd586803d809b56b00ffcf

a2f95e24cb46a0a1edba7d1ff4f7fa2789ee2325

c52473f4e858e91dfd769a1774e5821750b8c8e2

9857742e8f10595111be8cf813f4b83c6e8d7bc5

da24feaa3f0fc9a326905afab295324944fb0f03

678045a8b05e4bf36c7bb0338612bcbfc2376dd8

3776c0df00a24f9152b6cb44c0fa05ef410f747b

191a7e68ca0d15af4283844aa4916f8f73fe6be2

2ed9043c9eaf0cccb96711ca05a07add8a10ec88

e43daace2965439f2b1574b903d08af427f9307d

21f6eb9e582043af0be06dbdb2819e9642ca991a

1c796a576e1f30ed0a672b30b0d2644aebe7f739

7dab6af4c90599ddba656bec8e258d08e9e8ffe6

df86e5d1a2d614c762704dc8842874fad27de978

2afde2c2a7773f68de691fe4f4e835fe530a3471

784468f153fd9b1676504f51bce1bbd9237373f2

2336179beb8a8d4c9a23771cc0ae31f2a146fbbd

763b0273c03053405806722df9fe3c9e270c8d55

de263d9374d90fb7f51b19a036cb75a3d2072342

a32fa6ba08db96ebd611f6ee06da44b419d569a6bac43ed00c68d6ca674004c3

7e8415e2744be160b7d7c600a401de41554c1357c2d2d35c85f8be8068cbc649

9b0afe79696ccb263b8a00c75c021d115f152283714c0e4c5075aad4e52b94f9

074400e2f09312081c29e905a9d24f70cfc5f535cd1dcaaca31e33586c7b01bc

cabd71a7a4df7fa6b5ffe0f22354953b5d278c5b2626af8bfba0ba726acc59ef

3b2d397f308e00f6ef5ae4a368b6ec9a1b5791b883583d104949d80711f5789f

c3f09771a248daede16382ec9484c6a626e2f289c095164eea97170f3e4a6769

8a18b8826daafc4a84d49299013c5cabe95dd9159ea5d5f1fb5872a6d70666e6

28fb1c360663b13a4f918b76a12bdc6f7532896eabf8200bddb63319c92bad26

ff84bb121533144fc87c314a9d50c16dd15bb7d8f036c777e0a6c1dc7395e000

99af1fe7e00d4d82bc6ae4440ad3528202a8a6234038fcde15e78dfea79dac2a

6266d87b93e8129b0b606971f0c9e00214abadbc758769bd9cf456c6e0ad8b6e

e65b359519b912139ae7ab3ac77c667c5411d2264a1d75166ae2dfffefe2efaa

0010c5caa8311201cd3b0e335a3936e7d1143362d98f4b5a57ef780dcdc1ca5a

8046fe163a0ab581df7ea7c86788d7dca42f70fac95023dfb36d9281ad3463d9

2261efb7516dd49edd3bface0c769a531c37ce0ca6832871768f622abb0f1f71

cb30d5b932a461601deaf2ef76476e216c7d2a99ea7c280cadbe6510b2997080

6ec18bf62078bb2661b2d0cadf0314ea44fc67da786c28456869b0102eea235c

6351649b644eafe5c27317251bd466a8eab265defb58ab34c20feec60304a861

f75c4d6c989c03c339ead7708227f22d30b9a5f4f433bbe29391a1003aa85d85

bb21ec0bb2b94c5471ed7c768cc999808a42e985955384f6af360caa0c640d6c

216cd0ccc129a612082bddf2502a58aef6b1c22ea07a18a58e4e8315d6ea3fbb

f49ba5d85a7be63599346097278c1af49ab6c1bea82e422462057c78641d54d4

ce1be9e4b2fd0f3958720f9bc2ae9d545bc0e27dcf1042b64a70f1fc62884610

196[.]251[.]86[.]145/huna

51[.]79[.]214[.]125/huna

154[.]90[.]58[.]164[:]56001

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page