Sample File:

	MD5 hash:
		f9b3b185b1538fa9c5b0c4e43b05f396

	SHA1 hash:
		fc5eb4f7d59ab7ac7a542fd383d252c31f3c91e0

	SHA256 hash:
		d51fa8b0bd6f3f95c54c44c5c35c0a12ad6b9a8a573d9488168e40a98c439135

	SSDEEP hash:
		6144:2ia1vcaEre+HPsKSAzG44DQFu/U3buRKlemZ9DnGAeWBJR1+Gd:2HcthvzSAx4DQFu/U3buRKlemZ9DnGA3

	Filename(s):
		CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe

	Filetype:
		Windows Exe (x86-32)


Mutex IOCs:

		- None -

Registry Key IOCs:

		HKEY_CURRENT_USER\Software\Borland\Locales
		HKEY_LOCAL_MACHINE\Software\Borland\Locales
		HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
		HKEY_CURRENT_USER\Software\Zeppelin
		HKEY_CURRENT_USER\Software\Zeppelin\Process
		HKEY_CURRENT_USER\Software\Zeppelin\Stop
		HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
		HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe
		HKEY_CURRENT_USER\Software\Zeppelin\Keys


Domain IOCs:

		- None -

IP IOCs:

		- None -

URL IOCs:

		- None -

File IOCs:

	Filenames:
		C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\
		C:\Users\FD1HVy\AppData\Local\Temp\5D4CAC51.zeppelin
		C:\Users\FD1HVy\Desktop\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe
		-start

	MD5 hashes:
		f9b3b185b1538fa9c5b0c4e43b05f396
		93b885adfe0da089cdf634904fd59f71

	SHA1 hashes:
		fc5eb4f7d59ab7ac7a542fd383d252c31f3c91e0
		5ba93c9db0cff93f52b521d7420e43f6eda2784f

	SHA256 hashes:
		6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
		d51fa8b0bd6f3f95c54c44c5c35c0a12ad6b9a8a573d9488168e40a98c439135

	SSDEEP hashes:
		3::
		6144:2ia1vcaEre+HPsKSAzG44DQFu/U3buRKlemZ9DnGAeWBJR1+Gd:2HcthvzSAx4DQFu/U3buRKlemZ9DnGA3