{
	"id": "8c8416e8-0792-481e-adf7-ecb08288e7a1",
	"created_at": "2026-04-06T00:10:05.544526Z",
	"updated_at": "2026-04-10T03:21:37.317408Z",
	"deleted_at": null,
	"sha1_hash": "513d9e8b760276f67018a2c63635942beb8059a8",
	"title": "To crypt, or to mine – that is the question",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 607429,
	"plain_text": "To crypt, or to mine – that is the question\r\nBy Egor Vasilenko\r\nPublished: 2018-07-05 · Archived: 2026-04-05 23:06:22 UTC\r\nWay back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family. That was the starting point for this long-lived Trojan family, which is still\r\nfunctioning to this day. During that time the malware writers have changed:\r\nthe way their Trojans get keys (from locally generated to received from the C\u0026C);\r\nthe algorithms used (from using only a symmetric algorithm, through a commonly used scheme of\r\nsymmetric + asymmetric, to 18 symmetric algorithms used simultaneously);\r\nthe crypto-libraries (LockBox, AESLib, DCPcrypt);\r\nthe distribution method (from spam to remote execution).\r\nNow the criminals have decided to add a new feature to their creation – a mining capability. In this article we\r\ndescribe a downloader that decides how to infect the victim: with a cryptor or with a miner.\r\nDistribution\r\nGeography of attacks\r\nGeography of Trojan-Downloader.Win32.Rakhni\r\nTop five countries attacked by Trojan-Downloader.Win32.Rakhni (ranked by percentage of users attacked):\r\nCountry %*\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 1 of 16\n\n1 Russian Federation 95.57%\r\n2 Kazakhstan 1.36%\r\n3 Ukraine 0.57%\r\n4 Germany 0.49%\r\n5 India 0.41%\r\n* Percentage of unique users attacked in each country by Trojan-Downloader.Win32.Rakhni, relative to all users\r\nattacked by this malware\r\nInfection vector\r\nAs far as we know, spam campaigns are still the main way of distributing this malware.\r\nEmail with malicious attachment\r\nAfter opening the email attachment, the victim is prompted to save the document and enable editing.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 2 of 16\n\nAttached Word document\r\nThe victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim\r\nlaunches a malicious executable.\r\nUAC window shown before the Trojan starts\r\nDownloader\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 3 of 16\n\nGeneral information\r\nThe downloader is an executable file written in Delphi. To complicate analysis, all strings inside the malware are\r\nencrypted with a simple substitution cipher.\r\nAfter execution, the downloader displays a message box with an error text. The purpose of this message is to\r\nexplain to the victim why no PDF file opened.\r\nFake error message\r\nTo hide the presence of the malicious software in the system the malware developer made their creation look like\r\nthe products of Adobe Systems. This is reflected in the icon, the name of the executable file and the fake digital\r\nsignature that uses the name Adobe Systems Incorporated. In addition, before installing the payload the\r\ndownloader sends an HTTP request to the address www.adobe.com.\r\nEnvironment checks\r\nAfter the message box is closed the malware performs a number of checks on the infected machine:\r\nSelf path check\r\nThe name should contain the substring AdobeReader\r\nThe path should contain one of the following substrings:\r\n\\TEMP\r\n\\TMP\r\n\\STARTUP\r\n\\CONTENT.IE\r\nRegistry check\r\nChecks that in the registry there is no value HKCU\\Software\\Adobe\\DAVersion and, if so, the malware creates the\r\nvalue HKCU\\Software\\Adobe\\DAVersion = True and continues its work\r\nRunning processes check\r\nChecks that the count of running processes is greater than 26\r\nChecks that none of the processes listed in the table below are present.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 4 of 16\n\nalive.exe filewatcherservice.exe ngvmsvc.exe sandboxierpcss.exe\r\nanalyzer.exe fortitracer.exe nsverctl.exe sbiectrl.exe\r\nangar2.exe goatcasper.exe ollydbg.exe sbiesvc.exe\r\napimonitor.exe GoatClientApp.exe peid.exe scanhost.exe\r\napispy.exe hiew32.exe perl.exe scktool.exe\r\napispy32.exe hookanaapp.exe petools.exe sdclt.exe\r\nasura.exe hookexplorer.exe pexplorer.exe sftdcc.exe\r\nautorepgui.exe httplog.exe ping.exe shutdownmon.exe\r\nautoruns.exe icesword.exe pr0c3xp.exe sniffhit.exe\r\nautorunsc.exe\r\niclicker-release.exe.exe\r\nprince.exe snoop.exe\r\nautoscreenshotter.exe idag.exe procanalyzer.exe spkrmon.exe\r\navctestsuite.exe idag64.exe processhacker.exe sysanalyzer.exe\r\navz.exe idaq.exe processmemdump.exe syser.exe\r\nbehaviordumper.exe immunitydebugger.exe procexp.exe systemexplorer.exe\r\nbindiff.exe importrec.exe procexp64.exe systemexplorerservice.exe\r\nBTPTrayIcon.exe imul.exe procmon.exe sython.exe\r\ncapturebat.exe Infoclient.exe procmon64.exe taskmgr.exe\r\ncdb.exe installrite.exe python.exe taslogin.exe\r\ncff explorer.exe ipfs.exe pythonw.exe tcpdump.exe\r\nclicksharelauncher.exe iprosetmonitor.exe qq.exe tcpview.exe\r\nclosepopup.exe iragent.exe qqffo.exe timeout.exe\r\ncommview.exe iris.exe qqprotect.exe totalcmd.exe\r\ncports.exe joeboxcontrol.exe qqsg.exe trojdie.kvp\r\ncrossfire.exe joeboxserver.exe raptorclient.exe txplatform.exe\r\ndnf.exe lamer.exe regmon.exe virus.exe\r\ndsniff.exe LogHTTP.exe regshot.exe vx.exe\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 5 of 16\n\ndumpcap.exe lordpe.exe RepMgr64.exe winalysis.exe\r\nemul.exe malmon.exe RepUtils32.exe winapioverride32.exe\r\nethereal.exe mbarun.exe RepUx.exe windbg.exe\r\nettercap.exe mdpmon.exe runsample.exe windump.exe\r\nfakehttpserver.exe mmr.exe samp1e.exe winspy.exe\r\nfakeserver.exe mmr.exe sample.exe wireshark.exe\r\nFiddler.exe multipot.exe sandboxiecrypto.exe xxx.exe\r\nfilemon.exe netsniffer.exe sandboxiedcomlaunch.exe\r\nZID Updater File Writer\r\nService.exe\r\nComputer name check\r\nThe name of the computer shouldn’t contain any of the following substrings:\r\n-MALTEST\r\nAHNLAB\r\nWILBERT-FIREEYES-CUCKOO\r\nRSWT-FORTINET-GITSTEST\r\nCalculates an MD5 digest of the computer name in lower case and compares it with a hundred\r\ndenylisted values\r\nIP address check\r\nObtains the external IP address of the machine and compares it with hardcoded values.\r\nVirtual machine check\r\nChecks that the following registry keys don’t exist:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle VM VirtualBox\r\nGuest Additions\r\nHKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sandboxie\r\nHKLM\\SYSTEM\\ControlSet002\\Enum\\VMBUS\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\VBOX\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\VirtualBox\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\Parallels Workstation\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\PRLS\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\Virtual PC\r\nHKLM\\HARDWARE\\ACPI\\SDT\\AMIBI\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 6 of 16\n\nHKLM\\HARDWARE\\ACPI\\DSDT\\VMware Workstation\r\nHKLM\\HARDWARE\\ACPI\\DSDT\\PTLTD\r\nHKLM\\SOFTWARE\\SandboxieAutoExec\r\nHKLM\\SOFTWARE\\Classes\\Folder\\shell\\sandbox\r\nChecks that the following registry values don’t exist:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\OpenGLDrivers\\VBoxOGL\\Dll=VBoxOGL.dll\r\nHKLM\\\\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum\\0=Virtual\r\nHKLM\\\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemProductName=VirtualBox\r\nChecks that none of the processes listed in the table below are present.\r\nprlcc.exe VGAuthService.exe vmsrvc.exe vmware-tray.exe\r\nprltools.exe vmacthlp.exe vmtoolsd.exe vmware-usbarbitrator.exe\r\nSharedIntApp.exe vmicsvc.exe vmusrvc.exe vmware-usbarbitrator64.exe\r\nTPAutoConnect.exe vmnat.exe vmware-authd.exe vmwaretray.exe\r\nTPAutoConnSvc.exe vmnetdhcp.exe vmware-converter-a.exe vmwareuser.exe\r\nVBoxService.exe vmount2.exe vmware-converter.exe xenservice.exe\r\nVBoxTray.exe VMRemoteGuest.exe vmware-hostd.exe\r\nIf at least one of the performed checks fails, the downloader ends the process.\r\nInstallation of certificates\r\nThe downloader installs a root certificate that’s stored in its resources. All downloaded malicious executables are\r\nsigned with this certificate. We have found fake certificates that claim to have been issued by Microsoft\r\nCorporation and Adobe Systems Incorporated.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 7 of 16\n\nFake Microsoft Corporation certificate\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 8 of 16\n\nFake Adobe Systems Incorporated certificate\r\nCertificates are installed using the standard utility CertMgr.exe that’s also stored in the downloader’s resources.\r\nResources contained in the downloader executable file\r\nBefore installing the certificate, the downloader drops the necessary files from the resources to the %TEMP%\r\ndirectory.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 9 of 16\n\nFake certificate and CertMgr.exe utility\r\nIt then executes the following command:\r\nCertMgr.exe -add -c 179mqn7h0c.cer -s -r localMachine root\r\nThe main decision\r\nThe decision to download the cryptor or the miner depends on the presence of the folder %AppData%\\Bitcoin. If\r\nthe folder exists, the downloader decides to download the cryptor. If the folder doesn’t exist and the machine has\r\nmore than two logical processors, the miner will be downloaded. If there’s no folder and just one logical\r\nprocessor, the downloader jumps to its worm component, which is described below in the corresponding part of\r\nthe article.\r\nCryptor decision\r\nThe Trojan downloads a password-protected archive that contains a cryptor module. The archive will be\r\ndownloaded to the startup directory (C:\\Documents and Settings\\username\\Start Menu\\Programs\\Startup) and then\r\nthe downloader will unpack it using the command line WinRAR tool. The cryptor executable will have the name\r\ntaskhost.exe.\r\nAfter execution, the cryptor performs an environment check like the installer; in addition, it will check that it’s\r\nrunning after the downloader decision (by checking the registry value HKCU\\Software\\Adobe\\DAVersion is\r\npresent).\r\nInterestingly, the cryptor only starts working if the system has been idle for at least two minutes. Before\r\nencrypting files, the cryptor terminates the following processes:\r\n1cv7s.exe Foxit Advanced PDF Editor.exe mspaint.exe soffice.exe\r\n1cv8.exe Foxit Phantom.exe mysqld.exe sqlservr.exe\r\n1cv8c.exe Foxit PhantomPDF.exe NitroPDF.exe sqlwriter.exe\r\n7zFM.exe Foxit Reader.exe notepad.exe STDUViewerApp.exe\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 10 of 16\n\nacad.exe FoxitPhantom.exe OUTLOOK.EXE SumatraPDF.exe\r\nAccount.EXE FoxitReader.exe PDFMaster.exe thebat.exe\r\nAcrobat.exe FreePDFReader.exe PDFXCview.exe thebat32.exe\r\nAcroRd32.exe gimp-2.8.exe PDFXEdit.exe thunderbird.exe\r\narchitect.exe GSmeta.exe pgctl.exe ThunderbirdPortable.exe\r\nbricscad.exe HamsterPDFReader.exe Photoshop.exe VISIO.EXE\r\nBridge.exe Illustrator.exe Picasa3.exe WebMoney.exe\r\nCorelDRW.exe InDesign.exe PicasaPhotoViewer.exe WinDjView.exe\r\nCorelPP.exe iview32.exe postgres.exe WinRAR.exe\r\nEXCEL.EXE KeePass.exe POWERPNT.EXE WINWORD.EXE\r\nfbguard.exe Magnat2.exe RdrCEF.exe wlmail.exe\r\nfbserver.exe MSACCESS.EXE SmWiz.exe wordpad.exe\r\nFineExec.exe msimn.exe soffice.bin xnview.exe\r\nIn addition, if there is no avp.exe process running, the cryptor removes volume shadow copies.\r\nThe cryptor encrypts files with the following extensions:\r\n“.ebd”, “.jbc”, “.pst”, “.ost”, “.tib”, “.tbk”, “.bak”, “.bac”, “.abk”, “.as4”, “.asd”, “.ashbak”, “.backup”,\r\n“.bck”, “.bdb”, “.bk1”, “.bkc”, “.bkf”, “.bkp”, “.boe”, “.bpa”, “.bpd”, “.bup”, “.cmb”, “.fbf”, “.fbw”, “.fh”,\r\n“.ful”, “.gho”, “.ipd”, “.nb7”, “.nba”, “.nbd”, “.nbf”, “.nbi”, “.nbu”, “.nco”, “.oeb”, “.old”, “.qic”, “.sn1”,\r\n“.sn2”, “.sna”, “.spi”, “.stg”, “.uci”, “.win”, “.xbk”, “.iso”, “.htm”, “.html”, “.mht”, “.p7”, “.p7c”, “.pem”,\r\n“.sgn”, “.sec”, “.cer”, “.csr”, “.djvu”, “.der”, “.stl”, “.crt”, “.p7b”, “.pfx”, “.fb”, “.fb2”, “.tif”, “.tiff”,\r\n“.pdf”, “.doc”, “.docx”, “.docm”, “.rtf”, “.xls”, “.xlsx”, “.xlsm”, “.ppt”, “.pptx”, “.ppsx”, “.txt”, “.cdr”,\r\n“.jpe”, “.jpg”, “.jpeg”, “.png”, “.bmp”, “.jiff”, “.jpf”, “.ply”, “.pov”, “.raw”, “.cf”, “.cfn”, “.tbn”, “.xcf”,\r\n“.xof”, “.key”, “.eml”, “.tbb”, “.dwf”, “.egg”, “.fc2”, “.fcz”, “.fg”, “.fp3”, “.pab”, “.oab”, “.psd”, “.psb”,\r\n“.pcx”, “.dwg”, “.dws”, “.dxe”, “.zip”, “.zipx”, “.7z”, “.rar”, “.rev”, “.afp”, “.bfa”, “.bpk”, “.bsk”, “.enc”,\r\n“.rzk”, “.rzx”, “.sef”, “.shy”, “.snk”, “.accdb”, “.ldf”, “.accdc”, “.adp”, “.dbc”, “.dbx”, “.dbf”, “.dbt”,\r\n“.dxl”, “.edb”, “.eql”, “.mdb”, “.mxl”, “.mdf”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.kdb”, “.kdbx”,\r\n“.1cd”, “.dt”, “.erf”, “.lgp”, “.md”, “.epf”, “.efb”, “.eis”, “.efn”, “.emd”, “.emr”, “.end”, “.eog”, “.erb”,\r\n“.ebn”, “.ebb”, “.prefab”, “.jif”, “.wor”, “.csv”, “.msg”, “.msf”, “.kwm”, “.pwm”, “.ai”, “.eps”, “.abd”,\r\n“.repx”, “.oxps”, “.dot”.\r\nAfter encryption the file extension will be changed to .neitrino.\r\nFiles are encrypted using an RSA-1024 encryption algorithm. The information necessary to decrypt the files is\r\nsent to the attacker by email.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 11 of 16\n\nIn each encrypted directory, the cryptor creates a MESSAGE.txt file with the following contents:\r\nRansom note\r\nMiner decision\r\nThe downloading process of the miner is the same except for the downloading folder – the miner is saved to the\r\npath %AppData%\\KB\u003c8_random_chars\u003e, where \u003c8_random_chars\u003e, as the name suggests, is a string constructed\r\nfrom alphanumeric characters [0-9a-z].\r\nAfter downloading and unpacking the archive with the miner, the Trojan does the following:\r\nFirstly, it generates a VBS script that will be launched after an OS reboot. The script has the name\r\nCheck_Updates.vbs. This script contains two commands for mining:\r\nthe first command will start a process to mine the cryptocurrency Monero;\r\nthe second command will start a process to mine the cryptocurrency Monero Original. The name of\r\nthe subfolder where the executable should be located (cuda) may indicate that this executable will\r\nuse the GPU power for mining.\r\nContent of the Check_Updates.vbs file\r\nThen, if there is a file named %AppData%\\KB\u003c8_random_chars\u003e\\svchost.exe, the Trojan executes it to\r\nmine the cryptocurrency Dashcoin.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 12 of 16\n\nProcess for mining the Dashcoin cryptocurrency\r\nWhen this analysis was carried out, the downloader was receiving an archive with a miner that didn’t use the\r\nGPU. The attacker uses the console version of the MinerGate utility for mining.\r\nChecking the utility for mining\r\nIn order to disguise the miner as a trusted process, the attacker signs it with a fake Microsoft Corporation\r\ncertificate and calls svchost.exe.\r\nDisabling of Windows Defender\r\nRegardless of whether the cryptor or the miner was chosen, the downloader checks if one of the following AV\r\nprocesses is launched:\r\n360DocProtect.exe avgui.exe dwservice.exe McUICnt.exe\r\n360webshield.exe avgwdsvc.exe dwwatcher.exe mcupdate.exe\r\nAvastSvc.exe Avira.OE.ServiceHost.exe egui.exe ProtectionUtilSurrogate.exe\r\nAvastUI.exe Avira.OE.Systray.exe ekrn.exe QHActiveDefense.exe\r\navgcsrva.exe Avira.ServiceHost.exe kav.exe QHSafeTray.exe\r\navgemca.exe Avira.Systray.exe LUALL.exe QHWatchdog.exe\r\navgidsagent.exe avp.exe LuComServer.exe Rtvscan.exe\r\navgnsa.exe ccApp.exe McCSPServiceHost.exe SMC.exe\r\navgnt.exe ccSvcHst.exe McPvTray.exe SMCgui.exe\r\navgrsa.exe Dumpuper.exe McSACore.exe spideragent.exe\r\navgrsx.exe dwengine.exe mcshield.exe SymCorpUI.exe\r\navguard.exe dwnetfilter.exe McSvHost.exe\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 13 of 16\n\nIf no AV process was found in the system, the Trojan will run several cmd commands that will disable Windows\r\nDefender in the system:\r\ncmd /C powershell Set-MpPreference -DisableRealtimeMonitoring $true\r\ncmd /C powershell Set-MpPreference -MAPSReporting 0\r\ncmd /C powershell Set-MpPreference -SubmitSamplesConsent 2\r\ntaskkill /IM MSASCuiL.exe\r\ncmd /C REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v\r\nHideSCAHealth /t REGDWORD /d 1 /f\r\ncmd /C REG ADD HKCU\\Software\\Policies\\Microsoft\\Windows\\Explorer /v DisableNotificationCenter /t\r\nREGDWORD /d 1 /f\r\ncmd /C REG DELETE HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v SecurityHealth /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender /v DisableAntiSpyware /t\r\nREGDWORD /d 1 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender /v\r\nAllowFastServiceStartup /t REGDWORD /d 0 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender /v ServiceKeepAlive /t\r\nREGDWORD /d 0 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /v\r\nDisableIOAVProtection /t REGDWORD /d 1 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection /v\r\nDisableRealtimeMonitoring /t REGDWORD /d 1 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet /v\r\nDisableBlockAtFirstSeen /t REGDWORD /d 1 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet /v\r\nLocalSettingOverrideSpynetReporting /t REGDWORD /d 0 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet /v\r\nSubmitSamplesConsent /t REGDWORD /d 2 /f\r\ncmd /C REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration /v\r\nNotificationSuppress /t REGDWORD /d 1 /f\r\nSending the statistics\r\nDuring their operation the downloader and cryptor modules send emails with statistics to a hardcoded address.\r\nThese messages contain information about the current state of infection and other details such as:\r\ncomputer name;\r\nvictim IP address;\r\npath of malware in the system;\r\ncurrent date and time;\r\nmalware build date.\r\nThe downloader sends the following states:\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 14 of 16\n\nHello Install Sent after the cryptor or miner is downloaded\r\nHello NTWRK Sent after the downloader attempts to spread through the victim’s network\r\nError Sent if something goes wrong and contains the error code value\r\nThe cryptor sends the following states:\r\nLocked Shows that the cryptor was launched\r\nFinal Shows that the cryptor has ended the encryption process\r\nAnother interesting fact is that the downloader also has some spyware functionality – its messages include a list of\r\nrunning processes and an attachment with a screenshot.\r\nWorm component\r\nAs one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it\r\ncalls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log\r\nfile containing the names of computers with shared resources. For each computer listed in the file the Trojan\r\nchecks if the folder Users is shared and, if so, the malware copies itself to the folder\r\n\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup of each accessible user.\r\nSelf-deleting\r\nBefore shutting down the malware creates a batch file that deletes all ‘temporary’ files created during the infection\r\nprocess. This is a common practice for malware. The thing that interested us was the use of the Goto label\r\n‘malner’. Perhaps this is a portmanteau of the words ‘malware’ and ‘miner’ used by the criminal.\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 15 of 16\n\nContent of the svchost.bat file\r\nDetection verdicts\r\nOur products detect the malware described here with the following verdicts:\r\nDownloader: Trojan-Downloader.Win32.Rakhni.pwc\r\nMiner: not-a-virus:RiskTool.Win32.BitCoinMiner.iauu\r\nCryptor: Trojan-Ransom.Win32.Rakhni.wbrf\r\nIn addition, all the malware samples are detected by the System Watcher component.\r\nIoCs\r\nMalicious document: 81C0DEDFA5CB858540D3DF459018172A\r\nDownloader: F4EC1E3270D62DD4D542F286797877E3\r\nMiner: BFF4503FF1650D8680F8E217E899C8F4\r\nCryptor: 96F460D5598269F45BCEAAED81F42E9B\r\nURLs\r\nhxxp://protnex[.]pw\r\nhxxp://biserdio[.]pw\r\nSource: https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/"
	],
	"report_names": [
		"86307"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/513d9e8b760276f67018a2c63635942beb8059a8.pdf",
		"text": "https://archive.orkl.eu/513d9e8b760276f67018a2c63635942beb8059a8.txt",
		"img": "https://archive.orkl.eu/513d9e8b760276f67018a2c63635942beb8059a8.jpg"
	}
}