The process is started when the target runs the installer for their torrented game (or otherwise cracked software). This installer registers 'Maintenance.vbs' to be run on system startup. Then, in an effort to hide the attacker’s intentions, a counter is started that waits a set amount of system restarts before continuing the process. Once the number of restarts has been reached, 'Serviceinstaller.msi' is run, which disables hibernation mode, ensures that the next boot will be in safe mode, and registers 'Serviceinstaller.exe' in order for it to run in safe mode. At this point, 'Serviceinstaller.msi' and 'Maintenance.vbs' are deleted for further obfuscation.
Because antivirus software doesn’t work in safe mode, it is an integral part of Crackonosh’s success. This step allows 'Serviceinstaller.exe' to disable and delete Windows Defender, and in its place, install a file called 'MSASCuiL.exe'. The goal of 'MSASCuiL.exe' is to make it seem like Windows Defender is still up and running by putting the Windows Security icon in the system tray (though further investigation would make it obvious something was amiss). 'Serviceinstaller.exe' also deletes any of the following antivirus software:
