NOTES: The .js file extraced from the .zip is location-specific. I had to come from an Italian IP address for the server at umzuegeberlin.com to respond with the appropriate traffic. The follow-up .exe file is definitely VM-aware. The follow-up .exe and follow-up .js file were kept persistent through the Windows registry.
Article Link: http://www.malware-traffic-analysis.net/2016/11/30/index2.html