I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn't trust it, but i ran in a vm and nothing happened.
Then i told myself "i have microsoft defender and windows firewall control, they will warn me" and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if "aspnet_compiler.exe" is allowed to access the internet or not.
Suspicious, i go to check that "aspnet_compiler.exe" and it's located in the .net system folder, i scan it with microsoft defender and it doesn't report as a virus. I do not pay attention to the fact that it doesn't have a valid Microsoft signature, and i tell myself "probably just a windows update" and i whitelist it on the firewall.
After a few hours I realize "wait a minute: it's impossible that an official windows exe isn't signed by microsoft!" I go back to scan it, not infected... or it looks like, defender says "ignored because in whitelist". What? The "loader" put c:* in the whitelist!
The "crack loader" wasn't a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names...
And this for a $60 perpetual license program that i should buy anyway because it's for work
If you don't want to go down the Linux route, you might investigate Sandboxie. I remember that thing working miracles back when I was a Windows user.
Windows has built in sandboxing now. I haven't actually used it, but I know it exists.
It's been a minute since I used Windows. I wonder if it actually works.
(not a windows user so maybe wrong). afaik it is effectively a vm (or something like docker sharig kernel, but not filesystem, but not sure) where you can test a executable. it is only available to pro accounts though (so not the vast majority of home and oem installs).
Lots of weird stuff like that. I learned a couple weeks ago the three finger touchpad gesture from gnome works for windows virtual desktops (IF you already created a second one, otherwise it does nothing IIRC).
probably i would have ran it outside as the crack just silently "crashed" (while successfully dropped the malware as admin in the right spot, ready to be ran as admin at the next boot via the task scheduler) and i would have thought "maybe it doesn't run in a sandbox/vm".
But yes, in a hindsight, if i ran in sandboxie then i might have noticed that it had dropped suspiciously named files in common:startup with that nice file transfer GUI (unless if the malware detected sandboxie and did not run the malicious routines)
If it didn't run the malicious routines, problem solved :)
Not a silver bullet, just something to remember exists.