Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive. It is a Windows application (PE EXE file) and is 5 137 408 bytes in size. It is packed using VMProtect and is written in C++.


Once launched, the Trojan creates the following system registry key:


Then, the Trojan displays the following window:

After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS containing the text


to one of these payable numbers:

While sending the confirmation message, the Trojan carries out the following HTTP request:

GET /functions/sms-api/sms_from_soft.php?user_phone=
=2855&pt=1 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: sti***ofit.com
Cache-Control: no-cache

In response, the server sends back an integer, for example, "216".

The "Support service" link points to the resource:


Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following system registry key (see What is a system registry and how do I use it?):

  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 13DB8201EA98EC0AB953AAB8111134FA
SHA1: 55A8FF534DCA8250E2B424775010516AD12B0ED1