These fake installers use a pricetrap method, the same we retrieve in ransomwares: user is fooled into making a costly subscription for continue.
Å«Ó¡« _slash_ Porno (1990) VHSRip_021518-44912.zip.exe:
This is quite interesting hoax, masqueraded as WinRAR archive who come from a fake rapidshare website
Download any archive from the site to get that:
When started hoax displaying main window with "contents" of archive and waiting for user action.
Here also present EULA, where (highlighted) honestly written that this is hoax.
You press "Extract", it's simulating some activity and then window is refreshed with "Select your country" stuff.
Be careful, because this buggy trash can crash if you select something except few countries in list.
I suggest you to select first country in list.
Next it is wants some money - send 1 SMS to short number displayed on screen (numbers differs from country to country).
SMS price given in EULA, but nobody does not read EULA's, yes?
For Russia price for 1 SMS - 10$.
Once you send first SMS:
It is asking second SMS:
And then it want third SMS:
So it's about 30$ only to get to this window
Now it is required to post tel number from which you send all 3 SMS previously.
Finally you have what you want - list of torrents, they are even working.
Here also very cool description how to download torrent client and how to download torrent files from server.
In simple words you are paying ~30$ and giving your phone number for FAQ how to install uTorrent and use Google. Obviously victims of this hoax are not really smart people.
Å«Ó¡« _slash_ Porno (1990) VHSRip_021518-44912.zip.exe is heavily protected by VMProtect.
Additional information for reverse engineers about knigi_po_remontu_kvartir.rar.exe:
0x53463C (interesting range to break)
0x53471E (MessageBox is showed)
These range are valid when UPX is gone.
WinRARc SMS code: 8109580, 2406415, 1645976.
Thanks to EP_X0FF