{
	"id": "126dfa61-f988-481a-a3ed-da87d211f3c5",
	"created_at": "2026-04-06T00:06:52.135097Z",
	"updated_at": "2026-04-10T03:20:44.424177Z",
	"deleted_at": null,
	"sha1_hash": "061d55cb7ce8e42775b7903da1fcf3287e2d2267",
	"title": "Divergent: \"Fileless\" NodeJS Malware Burrows Deep Within the Host",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1733982,
	"plain_text": "Divergent: \"Fileless\" NodeJS Malware Burrows Deep Within the\r\nHost\r\nBy Edmund Brumaghin\r\nPublished: 2019-09-26 · Archived: 2026-04-05 17:28:00 UTC\r\nUpdate (09/27/2019): Additional information regarding the malware interaction with various online\r\nadvertisements has been included to highlight the click-fraud related network communications associated with\r\nDivergent.\r\nExecutive summary\r\nCisco Talos recently discovered a new malware loader being used to deliver and\r\ninfect systems with a previously undocumented malware payload called\r\n\"Divergent.\" We first dove into this malware after we saw compelling data from\r\nCisco Advanced Malware Protection's (AMP) Exploit Prevention.\r\nThis threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the\r\nlegitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use\r\nof NodeJS is not something commonly seen across malware families.\r\nThe observed malware campaigns associated with Divergent feature the use of persistence techniques most\r\ncommonly associated with \"fileless\" malware, leaving behind few artifacts for researchers to look at. This\r\nmalware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to\r\nconduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware,\r\nsuch as Kovter.\r\nTechnical Details\r\nTalos has identified a new moduler malware that is being used to facilitate the\r\ninstallation of a previously undocumented malware family, which we are referring\r\nto as Divergent, due to the naming convention used by the malware during\r\nvariable declaration and the creation of environment variables. While we were\r\nunable to determine the delivery mechanism used, we were able to perform\r\nanalysis of the malware loader as well as the Divergent malware that it is used to\r\ninstall on victim systems. Divergent is a malware family designed to generate\r\nrevenue for attackers via the use of click-fraud, similar to other click-fraud\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 1 of 18\n\nmalware such as Kovter. Technical details associated with both the installation and\r\noperation of the Divergent malware are described in the following sections.\r\nInstallation\r\nThe malware has many similarities with other popular fileless malware families, particularly\r\nKovter. Like Kovter, it relies heavily on the registry for staging and storage of configuration data\r\nwhile avoiding more traditional on-access endpoint scanning of files on disk. It also uses a key in\r\nthe registry to maintain persistence, and relies on PowerShell to install itself on the infected host.\r\nWhen first delivered and executed on a victim's machine, the malware is in the portable executable (PE) format.\r\nIts first task, however, is to install itself to the system in a less suspicious form, namely as an HTML Application\r\n(HTA) that will load the malware from the registry.\r\nInstallation begins by creating several registry keys containing the different parts of the loader as well as the data\r\nof the malware PE. The malware reads all the information embedded in its data section and creates three new\r\nrandomly named registry keys, each holding a different stage of the loader code needed to execute the malware PE\r\nusing reflective injection.\r\nNext, the HTA loader is written to the CSIDL_COMMON_APPDATA folder (typically C:\\ProgramData\\) and set\r\nto execute each time the user logs on by adding an entry to the\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" registry key.\r\nAn example of an HTA loader and the accompanying registry entries necessary to execute the malware once\r\ninstalled are:\r\n17T21vYHOb.hta :: e4a49af295d6e61877a458a014fe63b733be942c506496b53070aa3d9ca421d8\r\nZfjrAilGdH.reg :: 5863f35959aa542a27319e098f40166f3ace09d265f4ec6d739318c0b739745e\r\nThis registry file contains the following subkeys in the key HKLM\\Software\\ZfjrAilGdH which are set by\r\nthe installation process (the key names are randomly generated and will be different for each installation):\r\nLvt4wLGLMZ :: JScript executed by ZfjrAilGdh.hta\r\nkCu2DZ9WI0 :: PowerShell used to reflectively inject the malware\r\n4FLJBnefsN :: hex data representing the malware PE\r\nFileless malware loader The HTA is heavily obfuscated but when cleaned up, evaluates to an eval\r\nof the JScript in the registry key \"HKLM\\Software\\ZfjrAilGdh\\Lvt4wLGLMZ\" via a\r\n\"ActiveXObject.WScript.Shell.RegRead\" (shown here as pseudo code):\r\nThe JScript in the reg key executes the following powershell (shown here deobfuscated):\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 2 of 18\n\nThis code will execute the code found in the registry location HKLM\\Software\\ZfjrAilGdH\\kCu2DZ9WI0 after\r\nsetting the variable regkeyname to the data found in the registry location\r\nHKLM\\Software\\ZfjrAilGdH\\4FLJBnefsN. The registry key 4FLJBnefsN contains the bytes of the malicious\r\nportable executable (PE) with a modified DOS header, namely the MZ has been replaced with null bytes.\r\nThe code from kCu2DZ9WI0 is a version of PowerShell Empire's reflective PE injection script that will inject the\r\nmalware:\r\nAt this point, the malware executes.\r\nDivergent malware There are two main parts of this threat: one to receive and execute commands\r\nfrom a C2 server and another to execute external component scripts. The configuration for each\r\npart is stored in the registry in JSON format.\r\nThe component configuration describes which components should be executed and how. This example\r\nconfiguration will execute three different JScript components:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 3 of 18\n\nEach entry is parsed, and each filename and args value is passed along for execution by the malware. Detailed\r\nanalysis of the call_03 (see Now I See You), all_socks_05 (see Click Fraud), and block_av_01 (see Block AV\r\nComponent) components can be found below.\r\nThe network configuration stores two classes of C2: \"accl\" is a list of URLs that the malware should attempt to\r\ncontact for system information delivery and for commands to execute, while \"acll\" is a list of URLs the malware\r\nshould attempt to contact for possible updates to either configuration file. The default values from ZfjrAilGdH.reg\r\nare:\r\nNotice that \"version\" is an epoch timestamp, converting to Saturday, March 30, 2019 7:14:29 PM GMT. The\r\nearliest reference we found containing several IOCs from this malware sample dates back to February 2019.\r\nOnce executed, the malware begins with five anti-analysis checks. If any of these checks fail, a beacon is sent to a\r\nstatic URL containing a direct IP and sleeps indefinitely:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 4 of 18\n\nThe beacon message indicates which anti-analysis check failed to pass. The malware checks for unwanted\r\nprocesses and loaded modules by hashing process file names and module names respectively, then comparing each\r\nhash against two separate pre-computed lists for each. The lists contain hashes for endpoint security software and\r\nhypervisor services as running the sample under both scenarios failed these checks. It also checks for a host CPU\r\nwith at least two cores, the presence of a debugger, and finally compares system uptime intervals to determine if\r\nthe sample is running within a sandbox or virtual machine.\r\nIf the process is running with the appropriate privileges, it uses WMI (Windows Management Instrumentation) to\r\nquery recognized anti-virus software installed on the host. In particular, it's looking for the antivirus software\r\nWindows Defender. If found, it proceeds to disable various components of Windows Defender and Windows\r\nUpdates.\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 5 of 18\n\nOnce completed, it attempts to bypass UAC using CMSTP, if needed. Additional code is executed to check for any\r\nupdates to the malware's two configuration files. Empty POST requests are sent to each of the URLs in the first\r\nconfiguration's accl key. These URLs are later contacted with a comprehensive set of sensitive information from\r\nthe host. Most are non-responsive but still online. Many appear to be, or once were, compromised hosts used for\r\nthe C2 network.\r\nThe set of direct IP URLs found in the first configuration's acll key are contacted until one server responds back\r\nwith a configuration update. A response containing an RC4 encrypted update to the first of the malware's\r\nconfigurations in the Registry. In this sample, the RC4 key \"seiC4aimaish9zah8kah\" is static, and decryption\r\nresults in a lengthier update for the first configuration:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 6 of 18\n\nThe data is stored in the pre-existing registry subkey to update the value (in this example,\r\nHKLM\\SOFTWARE\\ZfjrAilGdH\\194956). As of Sept. 9, 2019, the version timestamp for the latest config pulled\r\nwas Thursday, Aug. 29, 2019 11:50:19 a.m.\r\nThe second configuration is stored in the last remaining value in the ZfjrAilGdH registry subkey\r\n(HKLM\\SOFTWARE\\ZfjrAilGdH\\2177774). Default values mentioned near the beginning of this section\r\nremained in use during runtime.\r\nThe primary flow of the malware code reaches an end but repeats select tasks every 90 minutes. It continues to\r\ncheck for configuration updates, continues to send encrypted sensitive information from the infected host, and\r\ncontinues to process any C2 responses that might contain additional commands to execute. The following\r\ncommands and parameters are supported by the C2 protocol used by Divergent:\r\nkillall: Terminate all processes initiated by the malware, delete corresponding files\r\nkill: Find process of specified component, terminate process, and delete the file\r\nstop: Find process of specified component, terminate process\r\nresume: Given pre-existing component, execute file\r\nmodules: From the same response data, pull additional configuration data from the following keys:\r\nname\r\nfilename\r\nargs\r\nversion\r\ntype\r\ndownload\r\nKey Using this data, the malware sends additional requests to download each specified file. The files are\r\nwritten to disk and executed.\r\nupdate: From the same response data, pull additional configuration data from the following keys:\r\nfilename\r\ndownload\r\nKey Same as the modules command, the malware sends additional requests to download each specified\r\nfile. Each file is written to disk and executed. Finally, the task deletes the Registry data stored in its subkey\r\n(handles both HKCU and HKLM).\r\nThe command update_interval modifies the main thread's sleep counter for the ending loop (the default time is 90\r\nminutes).\r\nComponents\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 7 of 18\n\nBlock AV component\r\nThe block_av_01 component attempts to block anti-virus software from receiving updates by\r\nblocking all outbound TCP connections on port 80 and port 443. With older revisions of this\r\nmalware package, this functionality was delivered via a JScript file named bav01.js but in newer\r\nversions, this has been seen delivered by PowerShell in the fake PNG trpl.png (see Fake PNG\r\nPowerShell Delivery).\r\nThis installation script starts by creating a new folder (e.g. SystemConfigInfo000) to hold the files necessary for\r\nexecution. The two files to be installed are WinDivert.dll and either WinDivert32.sys or WinDivert64.sys,\r\ndepending on the host CPU architecture. These are the legitimate WinDivert binaries and are used by the malware\r\nto create its packet filter.\r\nThe WinDivert binaries are embedded in bav01.js as comments and written to disk with .b64 extensions. The\r\nfollowing is the code to retrieve the embedded resource named arch5 from the script, embedded in a comment\r\nblock in the format /*[\u003cresource name\u003e[resource data]]*/:\r\nEach WinDivert binary is then decoded from base64 using the Windows Certificate Services utility certutil.exe.\r\nFor example:\r\nThis script is set to execute as a task each time the computer starts. This is accomplished by creating a scheduled\r\ntask with a random-looking service name that is set to run as the SYSTEM user at the highest run level:\r\nNext, the following PowerShell command is executed (shown here decoded) to execute the base64 encoded\r\nPowerShell commands in the environment variable 'nttyuuyt':\r\nThe 'nttyuuyt' environment variable was set by bav01.js previously and contains a base64 encoded PE and the\r\nPowerShell commands necessary to reflectively inject this executable (truncated for readability):\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 8 of 18\n\nAt this point in the script, installation is complete and the PE-based module to block anti-virus HTTP/HTTPS\r\nconnections is loaded.\r\nTo achieve its anti-virus blocking, the reflectively loaded PE periodically checks the names of all running\r\nprocesses against a predefined list. If any process names appear in the list, the PIDs are added to the filter string\r\npassed to WinDivertOpen which will block all traffic to that process on remote ports 80 or 443. An example filter\r\nstring is:\r\n((processId=620 or processId=736) and (remotePort==80 or remotePort==443))\r\nExample process names that would be blocked include msmpeng.exe (Windows Defender) and svchost.exe.\r\nClick Fraud The all_socks component is a NodeJS-based Socket.IO client that is commanded to\r\nnavigate to arbitrary web pages by the attacker ostensibly for monetization and click fraud\r\npurposes. With older revisions of this malware package this functionality was delivered via a\r\nJScript file named either 04sall.js or 05sall.js, but in newer versions this has been seen delivered\r\nby PowerShell in the fake PNG strpk.png (see Fake PNG PowerShell Delivery).\r\nLike the anti-virus blocking component, the click fraud component makes use of the WinDivert library and\r\ntherefore installs the necessary WinDivert DLL and driver in the same manner as bav01.js, described above.\r\nAdditionally, the NodeJS executable and a NodeJS Socket.IO client named app.js are part of the installation\r\nprocess for this component. Older versions of this component also installed two executables, divergent.exe and\r\nmdivergent.exe, however in later versions, these are executed from memory via reflective PE injection.\r\nThe malicious NodeJS application, seen either as app.js or init.js, is a simple Socket.IO client that takes a base64\r\nencoded IP address as its only parameter.\r\nnode.exe app.js \u003cbase64 encoded IP\u003e\r\nIn all samples we have encountered, the IP address has been 176.9.117.194 (encoded as\r\nMTc2LjkuMTE3LjE5NA==). Upon execution, the malicious NodeJS app will make a request to the IP passed as a\r\nparameter:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 9 of 18\n\nThe response from this server is the address of the next server which the application will connect to. This new\r\nconnection uses Socket.IO web sockets to maintain continuous communication between the victim and the server\r\nso the server can periodically send commands. The commands sent from this second server contain the host\r\naddress of an advertisement revenue service and the entire HTTP request that should be made to that server,\r\neffectively faking a click on an advertisement link.\r\nTo protect themselves from these kinds of fraudulent requests, advertisement monetization services may go to\r\nextra lengths to confirm the device making the request is the type of device it claims to be. For example, if the\r\nmonetization service only expects mobile devices, it may reject requests that have the characteristics of desktop\r\ndevices. We believe the divergent.exe and mdivergent.exe executables are used by the 04sall.js/05sall.js\r\ncomponents to circumvent these kinds of checks (see TCP/IP stack fingerprinting).\r\nThe divergent and mdivergent PEs make use of the WinDivert library to intercept and rewrite the first SYN packet\r\nof the 3-way TCP handshake for all outgoing connections the infected host attempts to make. The changes made\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 10 of 18\n\nto the SYN packets depend on which executable was used, either divergent.exe or mdivergent.exe; divergent.exe\r\nwill rewrite the TCP header options to follow the same format as Android devices while mdivergent.exe will\r\nrewrite the TCP header options to follow the format as iOS devices. Which version of the divergent executable is\r\nused is dependent on the app.js deployment script (either 04sall.js or 05sall.js). These scripts contain code that\r\ndecides which version should be used depending on a variable named macchance which can be passed to the\r\ndeployment script as its only parameter. This variable contains the probability that mdivergent.exe will be\r\ndeployed instead of divergent.exe (the PowerShell parameter, normally base64 encoded, is shown here in its\r\ndecoded form):\r\nIn the code shown above, the variables and and mac correspond to the code necessary to reflectively inject\r\ndivergent.exe and mdivergent.exe respectively, i.e. and represents Android and mac represents iOS.\r\nFor either of these divergent executables to work properly, several changes to the TCP/IP stack on the infected\r\nmachine must be made; these include setting the TTL to 64, turning on the timestamp TCP header options, and\r\nchanging the MTU to 1440. Once those changes have been made, the system is forced to reboot with a false\r\nmessage of Critical_Windows_Update:\r\nWith these changes made, the divergent executables can perform the necessary modifications to each SYN packet\r\nso that they follow the standards of the device the host should be disguised as.\r\nDuring our analysis of systems actively infected with Divergent, we observed several web requests initiated by the\r\nmalware attempting to interact with various online advertisements and advertising platforms, indicative of the\r\npreviously described click-fraud process performed by the malware. Similar to what was observed related to the\r\nmodification of the TCP configuration, the User-Agent field was modified to make the web requests appear as if\r\nthey had originated from a mobile device. Web requests were made to various online advertising services and\r\nwere similar to the following:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 11 of 18\n\nWe also observed additional web requests similar to the following, which included a standard desktop User-Agent:\r\nAdditionally, the malware attempts to interact with “in-app” advertising platforms such as Mobfox.\r\nNow I See You\r\nThe component named call_03 by the malware's configuration file, which is delivered by the\r\nem_02.js and em_03.js scripts, appears to be a means of installing a remote assist tool on the\r\ninfected machine that would allow the attacker to view and possibly control the victim's\r\ncomputer.\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 12 of 18\n\nLike the previous components, the PE associated with em_03.js is executed via reflective PE injection, this time\r\nwith the environment variable fdghjgfdhj.\r\nThe PE to be injected is a DLL which, according to its export table, was originally called now_i_see_you.dll. This\r\nDLL has a single exported function named VoidFunc which contains all of its functionality. When VoidFunc is\r\nexecuted, it makes an HTTP GET request to the hxxps://uoibppop[.]tk/. It then takes the response from this server\r\nand treats it as a new URL to navigate to. Using COM objects, the DLL launches an instance of Internet Explorer,\r\nresizes the window to fit the entire screen and navigates to the URL in the response. At the time of analysis, the\r\nserver was active but did not respond with any data so we were unable to confirm what was being hosted there.\r\nAdditionally, the DLL hides the Windows taskbar so the user is more compelled to comply with any instructions\r\non the page that is presented to them. Next, the malware enters a loop looking for a process containing the string\r\ngotoassist (older versions also looked for teamviewer), ostensibly for confirming that the user followed the\r\ninstructions in Internet Explorer by downloading and running the attacker's malware. Once this process is running,\r\nthe Windows Taskbar is restored to view. A process list is gathered and sent to the URL\r\nhxxps://uoibppop[.]tk/clean; no response is expected from the server. The registry key\r\n`HKEY_CURRENT_USER\\Software\\fbsjbdfhsv` is created and the key value `weqr` is set to 1, indicating that\r\nexecution was successful, then the process exits. Instead of a URL, the attacker has the option to send the word\r\nstop to the victim which will cause the DLL to forcefully reboot the infected machine.\r\nWhile we do not know what URL the victim is intended to navigate to and therefore which program they are to be\r\ntricked into running, based on the process names gotoassist and teamviewer and the original DLL name of\r\nnow_i_see_you.dll, it is likely that the victim is intended to install one of these remote administration software.\r\nFake PNG PowerShell delivery\r\nNewer versions of the Divergent malware package no longer deliver and execute components as\r\nJScript, instead multi-stage PowerShell scripts are used. The first stage will retrieve the second\r\nstage from a static URL. The first-stage PowerShell is heavily obfuscated:\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 13 of 18\n\nHere is our deobfuscated version:\r\nWhile the requested resource features the extension normally associated with PNG images, it is actually malicious\r\nPowershell that has been encrypted using RC4 with the encryption key \"raimeey2nu,\" which was stored in the\r\nprevious PowerShell (the particular implementation of RC4 used can be found here).\r\nWe have encountered following URLs to retrieve the encrypted PowerShell:\r\nhxxp://1292172017[.]rsc.cdn77[.]org/images/trpl.png\r\nhxxp://1292172017[.]rsc.cdn77[.]org//imtrack/strkp.png The first URL delivers the PowerShell version of\r\nbav01.js and the second delivers the PowerShell version of 05sall.js.\r\nTaking a deeper look at the PowerShell version of 05sall.js, we see Base64 encoded blobs corresponding to\r\nbinaries associated with WinDivert. Like its JScript counterpart, the Powershell decodes these blobs and saves\r\nthem to the filesystem location defined by the environment variable %ALLUSERSPROFILE%.\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 14 of 18\n\nShellcode stored within the PowerShell is loaded into a new memory region using the Windows API function\r\nVirtualAlloc and then executed to continue the infection process:\r\nConclusion\r\nThe malware loader described is currently under active development. Talos has\r\nobserved multiple versions of the loader being used to install the Divergent\r\nmalware. Attackers are attempting to monetize these infections through the use of\r\nclick fraud. The threat landscape is constantly evolving as attackers test new\r\ntechniques and methodologies to maximize their revenue generation capabilities.\r\nOrganizations should be aware of these changes and ensure that their security\r\nprograms are able to remain effective against these changing tactics, techniques,\r\nand procedures. This threat is successfully stopped by the Cisco Advanced\r\nMalware Protection (AMP) Exploit Prevention engine, and the resulting event data\r\nassisted with our analysis of the threat. Talos will continue to monitor the threat\r\nlandscape to ensure that customers remain protected.\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 15 of 18\n\nCoverage Additional ways our customers can detect and block this threat are listed\r\nbelow.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs have been observed as being associated with these malware\r\ncampaigns.\r\nHTA Hashes: 47b5dac9152220fbbf122eff89ac93d42e9196f5ab665a2a6d99594246ab8a81\r\n062688aec1bdf1208bd72a77696e1fbcd1076f54bd6e59141ed12b6f8e3ba32c\r\nPE32 Hashes:\r\nc7052f4676102bfe39ab19c227832861caa2959933e296ee1806973619948624\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 16 of 18\n\n781adc919a705ca3e8a82fe1d1eac68f651c50ba402172aea033eaec7879e932\r\n05fbd38ea0b99621d22ce5f057173fdec40f3dccd63f887e1c301766c6597714\r\n2135acda2d2739773fbb827e8d180ac901c040d2f071127bb597a714591672cd\r\n72b6a8bf9598bd445e26a04ab58be62ed3941fb1fe4cf4a094a6272a77b66009\r\nba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6\r\na82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875\r\n2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9\r\n77498f0ef4087175aa85ce1388f9d02d14aaf280e52ce7c70f50d3b8405fea9f\r\nb2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce\r\nbf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142\r\nba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6\r\na7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f\r\n607b2f3fd1e73788a4d6f5a366c708dbb12d174eba9863ade0af89ca40e1fdba\r\nURLs: hxxps://1292172017[.]rsc[.]cdn77[.]org/images/trpl.png\r\nhxxps://1292172017[.]rsc[.]cdn77[.]org/imtrack/strkp.png\r\nMutexes: Global\\Divergent\r\nGlobal\\CreatorsPatch\r\nGlobal\\LocalLow7\r\nIP Addresses:\r\n95[.]70[.]244[.]209\r\n13[.]228[.]224[.]121\r\n54[.]241[.]31[.]99\r\n103[.]31[.]4[.]11\r\n103[.]31[.]4[.]54\r\n198[.]41[.]128[.]74\r\n198[.]41[.]128[.]55\r\n131[.]0[.]72[.]36\r\n131[.]0[.]72[.]59\r\n188[.]114[.]96[.]87\r\n188[.]114[.]96[.]116\r\n43[.]250[.]192[.]98\r\n43[.]250[.]192[.]87\r\n217[.]160[.]231[.]125\r\n208[.]91[.]197[.]25\r\n184[.]168[.]221[.]42\r\n103[.]224[.]248[.]219\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 17 of 18\n\n31[.]31[.]196[.]120\r\n217[.]160[.]223[.]93\r\n103[.]224[.]248[.]219\r\n184[.]168[.]221[.]45\r\n119[.]28[.]87[.]235\r\n23[.]227[.]38[.]32\r\n50[.]63[.]202[.]39\r\n216[.]239[.]34[.]21\r\n83[.]243[.]58[.]172\r\n5[.]9[.]41[.]178\r\n88[.]198[.]26[.]25\r\n62[.]75[.]189[.]110\r\n109[.]239[.]101[.]62\r\n107[.]186[.]67[.]4\r\n184[.]168[.]221[.]63\r\n45[.]55[.]154[.]177\r\n104[.]28[.]2[.]169\r\n202[.]56[.]240[.]5\r\n89[.]163[.]255[.]171\r\n185[.]243[.]114[.]111\r\nSource: https://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nhttps://blog.talosintelligence.com/2019/09/divergent-analysis.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/09/divergent-analysis.html"
	],
	"report_names": [
		"divergent-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434012,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/061d55cb7ce8e42775b7903da1fcf3287e2d2267.pdf",
		"text": "https://archive.orkl.eu/061d55cb7ce8e42775b7903da1fcf3287e2d2267.txt",
		"img": "https://archive.orkl.eu/061d55cb7ce8e42775b7903da1fcf3287e2d2267.jpg"
	}
}