Malicious software called Rakhni Trojan, first detected in 2013, has evolved over five years and now the decision on the choice of the harm mechanism depends on the victim’s computer configuration. Judging by the statistics of affected users, the virus is spread by email in Russia, Kazakhstan, and Ukraine , Germany and India. Phishing emails with fake financial documents in .pdf format are sent to e-mail. When downloading, an error message appears when opening a file, then the malware scans the computer and, if possible, disables the built-in “Windows Defender”, installs the root certificate, which is stored in its resources, and, choosing the type of activity (organize hidden mining, encrypt files in order to demand a ransom or run the worm component to parasitize other PCs on the local network) activates its activity. So, after downloading to a computer, malware looks for a cryptocurrency wallet. If a Bitcoin data folder or% AppData% \\ Bitcoin is found, it downloads a cryptography module and encrypts files for which it then requires a ransom. If this folder is not found and the computer has two or more logical processors, the miner module for developing Monero or Dashcoin is loaded . If there is only one logical processor on the device, the worm loads and the virus spreads to other computers on the local network.