I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn’t trust it, but i ran in a vm and nothing happened.

Then i told myself “i have microsoft defender and windows firewall control, they will warn me” and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.

Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if “aspnet_compiler.exe” is allowed to access the internet or not.

Suspicious, i go to check that “aspnet_compiler.exe” and it’s located in the .net system folder, i scan it with microsoft defender and it doesn’t report as a virus. I do not pay attention to the fact that it doesn’t have a valid Microsoft signature, and i tell myself “probably just a windows update” and i whitelist it on the firewall.

After a few hours I realize “wait a minute: it’s impossible that an official windows exe isn’t signed by microsoft!” I go back to scan it, not infected… or it looks like, defender says “ignored because in whitelist”. What? The “loader” put c:* in the whitelist!

The “crack loader” wasn’t a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names…

And this for a $60 perpetual license program that i should buy anyway because it’s for work