EXODUS HWID SPOOFER - SUPPORTING EAC, BE, FIVEM and MORE
11/08/2024 19:41
EXODUS.#1
11/28/2024 00:58
EXODUS.#2
BLACK FRIDAY DISCOUNT IS HERE!
Get 30% OFF ALL Products during our Black Week Sale!
Don’t miss this limited-time offer to grab high quality products at unbeatable prices!
USE CODE: BF24 at checkout page!
Get 30% OFF ALL Products during our Black Week Sale!
Don’t miss this limited-time offer to grab high quality products at unbeatable prices!
USE CODE: BF24 at checkout page!
01/02/2025 23:38
EXODUS.#3
Thank you all for being active on New Year's Eve.
I wish everyone all the best and positive stability in life, Happy New Year!
Use the New Year discount coupon until Jan 4th and get 30% off on any product from our store!
Coupon Code: ny2025
I wish everyone all the best and positive stability in life, Happy New Year!
Use the New Year discount coupon until Jan 4th and get 30% off on any product from our store!
Coupon Code: ny2025
02/04/2025 19:25
EXODUS.#4
- Added "TPM" handling.
Upd: Removed now due to problems with people that refuse to read the text in the loader.
Upd: Removed now due to problems with people that refuse to read the text in the loader.
05/11/2025 11:47
EXODUS.#5
- Added USB spoofing.
- Added WiFi adapter spoofing.
- Improved Disk spoofing.
- Fixed some problems with MAC address spoofing (e.g connection loses after spoofing).
- Added WiFi adapter spoofing.
- Improved Disk spoofing.
- Fixed some problems with MAC address spoofing (e.g connection loses after spoofing).
02/22/2026 20:33
Darkness2147#6
Trash ahh support bunch of scamming losers. don't expect support if it doesn't work, they'll just scam you and ban your key. Then proceed to tell you, you're entitled lmao.
03/31/2026 03:08
EXODUS.#7
Trash ahh customer. Thinks that rules written for someone else but not for him.Quote:
Trash ahh support bunch of scamming losers. don't expect support if it doesn't work, they'll just scam you and ban your key. Then proceed to tell you, you're entitled lmao.
04/08/2026 08:40
Jlmods#8
THIS IS A VIRUS IT MINE BITCOIN AND STEALS YOUR INFORMATION
Infection Timeline & Source Analysis
March 25, 2026 — This is the key date. Multiple things appeared that day:
Evidence Date What it tells us
EXO folder on Desktop (cheat payload .bin files) 3/25 9:00 PM Game cheat/hack downloaded
NVIDIA_app_v11.0.6.383.exe in Downloads 3/25 1:27 PM Possibly trojanized NVIDIA installer
Trojanized NvContainer.exe (TLauncher signed) Active since ~3/25 Replaced real NVIDIA component
Staging files in SystemTemp (TLauncher/Famatech signed) 3/26–3/27 Malware deploying additional payloads
The Rainbow Six hack you downloaded on the 25th is almost certainly the initial dropper. Here's why:
1. The EXO folder on your Desktop contained .bin payload files all dated 3/25 at 9:00 PM — that's cheat loader data
2. SZ1WANQPJDK.COM was in that same EXO folder — Malwarebytes flagged it as Generic.Malware/Suspicious
3. DCONTROL.EXE on Desktop — this is "Defender Control," a tool to disable Windows Defender. The hack likely told you to "disable your AV before running" — that's a red flag every time
What the Malware Did (Full Picture)
Stage 1 — The R6 hack (Day 1, March 25):
• You ran the hack, it asked you to disable Defender (or used DCONTROL.EXE to do it automatically)
• It disabled Defender via IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies
• Dropped the EXO folder with cheat binaries + hidden malware
Stage 2 — Deployment (March 25–27):
• Installed SystemDiagnosticsHost.exe as a Windows Service (watchdog)
• Deployed svchostnon.exe — cryptominer using your RTX 3090 (that's why they target gamers — powerful GPUs)
• Deployed mppr.exe — backdoor/RAT (68GB virtual memory, accepting inbound connections)
• Replaced your user-local NvContainer.exe with a trojanized copy connecting to C2 server
• Installed VQ7KE2T7L5W.SYS — kernel rootkit driver (this is why files were invisible to Get-Item)
• Loaded DDB64.DLL — another bitcoin miner component
• Injected MSLDRIVER.DLL into explorer.exe — persistence + stealth (still loaded, deleted on reboot)
• Set Userinit hijack for reboot persistence
• Created 7+ scheduled tasks under fake names for respawning
Stage 3 — Ongoing operation:
• Mining crypto on your GPU/CPU 24/7
• Maintaining backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net
• The gogoduck registry key stored encoded C2 configuration
• Firewall rules allowed inbound connections (full remote access)
What's Likely Compromised
Assume everything is compromised:
• �� All saved passwords in Chrome/Edge — stealers grab these first
• �� Discord token — they can access your Discord as you
• �� Steam session — possible account theft
• �� Any banking/email open in browser
• �� OneDrive — HTGH.EXE was found IN your OneDrive folder (malware was syncing to cloud)
• �� Any files on your PC — the RAT had full access
Immediate Actions (from a different device)
1. Change ALL passwords NOW — from your phone or another computer
2. Enable 2FA everywhere — Steam, Discord, email, banking, Epic, Ubisoft
3. Revoke Discord tokens — change password (this invalidates old tokens)
4. Check bank/payment accounts for unauthorized activity
5. Reboot this PC — the renamed MSLDRIVER.DLL will be deleted and Defender can potentially re-enable
6. After reboot — run a full Malwarebytes scan again to confirm everything is clean
7. Never disable your AV to run a game hack — that's literally the malware telling you to open the door
The hack was the trojan horse. It worked as a cheat too — that's how they get you to keep running it.
�� Full Malware Inventory — R6 Cheat Dropper (March 25, 2026)
Infection Vector
• Source: Rainbow Six Siege hack download (March 25, 2026)
• Initial dropper: Cheat executable in C:\Users\...\Desktop\EXO\ folder
• Code-signing entity: Files falsely signed as "TLauncher Inc." and "Famatech Corp BVI" (both fake/stolen certs)
---
�� Malicious Files
File Location Purpose
svchostnon.exe C:\Windows\System32\ Cryptominer — consumed 25GB+ RAM, mimics svchost.exe
mppr.exe C:\Windows\System32\ RAT/Backdoor — 68GB virtual memory, accepted inbound connections
splwow32.exe C:\Windows\System32\ Malware loader — fake name mimicking real Windows print component
SystemDiagnosticsHost.exe C:\Windows\System32\ Watchdog service — respawns killed malware processes
CORPerfMonSymbols.exe C:\Windows\System32\ Login persistence — injected into Userinit registry
usbperfsym.exe C:\Windows\System32\ Scheduled task payload — launched by XCCProcess tasks
DDB64.DLL C:\Windows\System32\ BitcoinMiner module — loaded DLL for mining operations
MSLDRIVER.DLL C:\Windows\Media\ Trojan.Crypt.MSIL — injected into explorer.exe, survives logoff
VQ7KE2T7L5W.SYS C:\Windows\System32\drivers\ Kernel rootkit driver — ring-0 access, hides malware from OS
NvContainer.exe C:\Users\...\AppData\Local\NVIDIA Corporation\NVIDIA App\ Trojanized NVIDIA — fake NvContainer, connected to C2 server. Signed "TLauncher Inc.", HashMismatch
NvContainer.exe C:\Windows\SYSTEM32\config\systemprofile\AppData\L ocal\NVIDIA Corporation\NVIDIA App\ Same trojan — SYSTEM profile copy
RC_ConnectedAccount.exe C:\Windows\SystemTemp\ Staging dropper — signed "Famatech Corp BVI"
2 more files C:\Windows\SystemTemp\ Staging files — signed as fake "TLauncher" and fake "Node.js"
BGDIUE.EXE C:\Users\...\AppData\Local\Temp\ Malware payload
DCONTROL.EXE C:\Users\...\Desktop\ DefenderControl — disables Windows Defender (Stage 1 of attack)
SZ1WANQPJDK.COM C:\Users\...\Desktop\EXO\ Generic.Malware
HTGH.EXE C:\Users\...\OneDrive\Desktop\ Malware syncing to cloud via OneDrive
8× TMP*.EXE files C:\Users\...\AppData\Local\Temp\ Temporary malware executables
TMPEEB7 C:\Users\...\AppData\Local\Temp\ Temp malware payload
---
⚙️ Malicious Windows Service
Service Name Display Name Executable Purpose
System Diagnostics Host System Diagnostics Host SystemDiagnosticsHost.exe Watchdog — auto-restarts killed malware. Registered as real Windows service. Ran as SYSTEM.
---
�� Malicious Scheduled Tasks (7+)
Task Name Executable Purpose
XCCProcess (×3+ variants) usbperfsym.exe Persistence — launches miner/RAT components
NVIDIA App SelfUpdate Trojanized NvContainer.exe Fake NVIDIA update task — persistence for C2 backdoor
3+ additional unnamed tasks Various malware EXEs Auto-restart and deployment
---
�� Registry Hijacks
Registry Path Value Malware Set To Purpose
HKLM\...\Image File Execution Options\mpcmdrun.exe Debugger systray.exe IFEO Hijack — redirects Defender's CLI scanner to a dummy, prevents Defender from scanning
HKLM\...\Winlogon Userinit userinit.exe, CORPerfMonSymbols.exe Login persistence — malware runs every time ANY user logs in
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill — policy-level disable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill — policy-level disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill — direct key disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill — direct key disable
HKCU\SOFTWARE\gogoduck (entire key) Base64-encoded data RiskWare — encoded config/payload data
---
�� Malicious Firewall Rules
Rule Name Direction Action Target
XCCProcess (×4 rules) Inbound Allow mppr.exe — allows remote attackers to connect IN to the RAT
---
�� C2 (Command & Control) Server
Domain Port Protocol Connected By
vviukjdsjnj25i5.bounceme.net 12666 TCP Trojanized NvContainer.exe
Stage 1: DCONTROL.EXE disables Windows Defender
↓
Stage 2: Dropper deploys all components
├── Cryptominer: svchostnon.exe + DDB64.DLL (Bitcoin mining)
├── RAT/Backdoor: mppr.exe (remote access, 68GB virtual memory)
├── Rootkit: VQ7KE2T7L5W.SYS (kernel-level hiding)
├── C2 Beacon: NvContainer.exe → bounceme.net:12666
└── DLL Inject: MSLDRIVER.DLL → explorer.exe
↓
Stage 3: Persistence installed
├── Windows Service: "System Diagnostics Host" (watchdog)
├── 7+ Scheduled Tasks (XCCProcess, fake NVIDIA update)
├── IFEO hijack on mpcmdrun.exe (blocks Defender scans)
├── Userinit hijack (runs on every login)
├── Firewall rules (allows inbound RAT connections)
└── Registry disable of Defender (4 keys)
Infection Timeline & Source Analysis
March 25, 2026 — this is the key date. Everything started here.
Evidence | Date | What it tells us
EXO folder with .bin payloads | 3/25 9:00 PM | Cheat loader + malware payload
Suspicious NVIDIA installer in Downloads | 3/25 1:27 PM | Likely trojanized installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legit NVIDIA component
SystemTemp staging files | 3/26–3/27 | Malware deploying additional payloads
The cheat I downloaded that day was the initial dropper.
Here’s how I know:
EXO folder had payload files all timestamped the same time
There was a flagged suspicious file inside that folder
There was also a tool used to disable Windows Defender
That’s the classic setup — disable AV → run payload.
What the Malware Did (Full Breakdown)
Stage 1 — Initial Execution (March 25)
Disabled Windows Defender using registry + IFEO hijack
Dropped payload files
Set up initial persistence
Stage 2 — Deployment (March 25–27)
Installed a watchdog service to respawn malware
Deployed a cryptominer (using GPU/CPU)
Deployed a RAT/backdoor (accepting inbound connections)
Replaced legitimate NVIDIA process with trojanized version
Installed a kernel-level rootkit driver (hides everything)
Injected DLL into explorer.exe for stealth
Stage 3 — Ongoing Operation
Mining crypto constantly
Maintaining remote access to the machine
Using firewall rules to allow inbound connections
Storing encoded config data in registry
Syncing malware-related files to cloud storage
Command & Control (C2)
Connected to remote server:
vviukjdsjnj25i5.bounceme.net:12666
This is how they:
Control the system
Send commands
Pull data
What’s Likely Compromised
At this point, assume everything:
Browser saved passwords (Chrome/Edge)
Discord account/token
Steam and other gaming accounts
Email accounts
Banking/payment sessions
Any files on the PC
Cloud storage (files were syncing)
This wasn’t just local — it had full access.
Malware Components Identified
Executables:
svchostnon.exe → cryptominer
mppr.exe → RAT/backdoor
SystemDiagnosticsHost.exe → watchdog service
CORPerfMonSymbols.exe → login persistence
usbperfsym.exe → scheduled task payload
NvContainer.exe → trojanized NVIDIA process
DLLs / Drivers:
DDB64.DLL → mining module
MSLDRIVER.DLL → injected into explorer.exe
VQ7KE2T7L5W.SYS → kernel rootkit
Persistence Mechanisms
Fake Windows service running as SYSTEM
7+ scheduled tasks (auto-relaunch malware)
Userinit registry hijack (runs on login)
IFEO hijack blocking Defender scans
Multiple registry keys disabling Defender
Firewall rules allowing inbound RAT access
Bottom Line
This wasn’t just “a virus”
This was:
Multi-stage infection
Crypto miner
Full remote access backdoor
Kernel-level rootkit
Once that rootkit is in, the system cannot be trusted.
Immediate Actions I Took / Recommend
From another device:
Changed ALL passwords
Enabled 2FA everywhere
Revoked sessions/tokens (Discord, Steam, etc.)
Checked financial accounts
On the infected PC:
Rebooted system
Ran full malware scans
**WARNING: This is a highly sophisticated multi-stage malware infection**
Infection Date: March 25, 2026
Initial Vector: Rainbow Six Siege game hack / cheat (the trojan horse that also worked as a functional cheat)
---
Infection Timeline & Source Analysis
Key Date: March 25, 2026
Evidence | Date/Time | What It Tells Us
--- | --- | ---
EXO folder on Desktop (.bin payloads) | 3/25 9:00 PM | Game cheat/hack downloaded + malware dropper
NVIDIA_app_v11.0.6.383.exe | 3/25 1:27 PM | Likely trojanized NVIDIA installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legitimate NVIDIA component
Staging files in SystemTemp | 3/26–3/27 | Malware deploying additional payloads
How we know the Rainbow Six hack was the initial dropper:
1. The EXO folder on your Desktop contained .bin payload files all timestamped 3/25 at 9:00 PM — classic cheat loader data.
2. SZ1WANQPJDK.COM was in the same EXO folder — flagged by Malwarebytes as Generic.Malware/Suspicious.
3. DCONTROL.EXE on Desktop — this is "Defender Control", a tool that disables Windows Defender. The hack almost certainly instructed you to "disable your antivirus before running" (a universal red flag).
---
What The Malware Did (Full Breakdown)
Stage 1 — Initial Execution (March 25)
- Ran the R6 hack, which prompted (or automatically ran) DCONTROL.EXE to disable Windows Defender.
- Disabled Defender through multiple methods: IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies.
- Dropped the EXO folder containing cheat binaries + hidden malware payloads.
Stage 2 — Deployment (March 25–27)
- Installed SystemDiagnosticsHost.exe as a legitimate-looking Windows Service (watchdog).
- Deployed svchostnon.exe — cryptominer aggressively using your RTX 3090 GPU.
- Deployed mppr.exe — full-featured RAT/backdoor (68 GB virtual memory, accepting inbound connections).
- Replaced your user-local NvContainer.exe with a trojanized version (signed with stolen "TLauncher Inc." certificate) that connects to a C2 server.
- Installed VQ7KE2T7L5W.SYS — kernel-mode rootkit driver.
- Loaded DDB64.DLL — additional Bitcoin miner component.
- Injected MSLDRIVER.DLL into explorer.exe for persistence and stealth (deleted on reboot).
- Set Userinit registry hijack for boot/login persistence.
- Created 7+ scheduled tasks under fake names to keep respawning components.
Stage 3 — Ongoing Operation
- Cryptomining 24/7 on your GPU and CPU.
- Maintaining persistent backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net.
- Storing encoded C2 configuration in the gogoduck registry key.
- Creating firewall rules to allow inbound remote connections.
- Syncing malware files to your OneDrive (HTGH.EXE was found in your OneDrive folder).
---
Full Malware Inventory
Malicious Files:
File | Location | Purpose
--- | --- | ---
svchostnon.exe | C:\Windows\System32\ | Cryptominer (high RAM + GPU usage, mimics svchost.exe)
mppr.exe | C:\Windows\System32\ | RAT/Backdoor (accepts inbound connections)
splwow32.exe | C:\Windows\System32\ | Malware loader (fake Windows print spooler name)
SystemDiagnosticsHost.exe | C:\Windows\System32\ | Watchdog service — respawns killed malware
CORPerfMonSymbols.exe | C:\Windows\System32\ | Login persistence (injected via Userinit)
usbperfsym.exe | C:\Windows\System32\ | Scheduled task payload
DDB64.DLL | C:\Windows\System32\ | Bitcoin miner DLL
MSLDRIVER.DLL | C:\Windows\Media\ | Trojan DLL injected into explorer.exe
VQ7KE2T7L5W.SYS | C:\Windows\System32\drivers\ | Kernel rootkit (hides files/processes)
NvContainer.exe | Multiple (User + SYSTEM NVIDIA folders) | Trojanized NVIDIA component connecting to C2 (fake "TLauncher Inc." signature)
RC_ConnectedAccount.exe | C:\Windows\SystemTemp\ | Staging dropper (signed "Famatech Corp BVI")
BGDIUE.EXE | C:\Users\...\AppData\Local\Temp\ | Malware payload
DCONTROL.EXE | Desktop | Defender Control (disables antivirus)
SZ1WANQPJDK.COM | Desktop\EXO\ | Suspicious malware component
HTGH.EXE | OneDrive\Desktop\ | Malware that synced to cloud storage
Multiple TMP*.EXE files | C:\Users\...\AppData\Local\Temp\ | Temporary malware executables
Malicious Windows Service:
Service Name: System Diagnostics Host
Display Name: System Diagnostics Host
Executable: SystemDiagnosticsHost.exe
Purpose: Watchdog — runs as SYSTEM and restarts malware if killed
Malicious Scheduled Tasks (7+):
Task Name | Executable | Purpose
--- | --- | ---
XCCProcess (multiple variants) | usbperfsym.exe | Persistence — relaunches miner and RAT
NVIDIA App SelfUpdate | Trojanized NvContainer.exe | Fake update task for C2 backdoor
Additional unnamed tasks | Various | Auto-restart and deployment
Registry Hijacks & Modifications:
Registry Path | Value | Set To | Purpose
--- | --- | --- | ---
HKLM\...\Image File Execution Options\mpcmdrun.exe | Debugger | systray.exe | Blocks Windows Defender scans
HKLM\...\Winlogon\Userinit | Userinit | userinit.exe, CORPerfMonSymbols.exe | Runs malware on every login
Multiple Defender keys (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, etc.) | DisableAntiSpyware / DisableAntiVirus | 1 | Completely disables Windows Defender
HKCU\SOFTWARE\gogoduck | (entire key) | Base64-encoded data | Stores encoded C2 configuration
Malicious Firewall Rules:
Rule Name | Direction | Action | Target
--- | --- | --- | ---
XCCProcess (×4) | Inbound | Allow | mppr.exe — allows remote attackers to connect to the RAT
Command & Control (C2) Server:
Domain: vviukjdsjnj25i5.bounceme.net
Port: 12666 (TCP)
Connected by: Trojanized NvContainer.exe
---
What Is Likely Compromised
Assume everything on this PC is compromised:
- All saved passwords in Chrome, Edge, and other browsers
- Discord token (attacker can fully impersonate you)
- Steam, Epic, Ubisoft accounts (gaming session theft)
- Banking, email, and payment accounts that were open in browsers
- OneDrive / cloud storage (malware was actively syncing files)
- Any personal or work files on the PC
- Full remote access via the RAT
---
Immediate Recommended Actions (Do These Now)
From a clean device (phone or another computer):
1. Change ALL passwords immediately — especially email, banking, Discord, Steam, Epic, and Ubisoft.
2. Enable 2FA / MFA everywhere (use an authenticator app, not SMS when possible).
3. Revoke active sessions/tokens: Change Discord password (invalidates old tokens). Log out of all Steam/Epic/Ubisoft sessions.
4. Check bank and payment accounts for unauthorized transactions.
5. Review any accounts linked to the compromised email.
On the infected PC:
1. Reboot — this removes the injected MSLDRIVER.DLL from memory.
2. After reboot, run a full Malwarebytes scan (and preferably a second reputable scanner).
3. Never disable your antivirus to run a game hack again. This is exactly how they get you.
---
Bottom Line
This was not a simple virus.
It was a professional-grade, multi-stage infection consisting of:
- Functional game cheat (to lure you)
- Cryptocurrency miner (targeting gamers with powerful GPUs)
- Full remote access trojan (RAT)
- Kernel-level rootkit for maximum stealth
- Multiple persistence mechanisms (service, tasks, registry hijacks, firewall rules)
The system cannot be fully trusted even after cleaning. If you have extremely sensitive data, consider a full wipe and reinstall of Windows.
Stay safe — and avoid downloading game cheats.
Infection Timeline & Source Analysis
March 25, 2026 — This is the key date. Multiple things appeared that day:
Evidence Date What it tells us
EXO folder on Desktop (cheat payload .bin files) 3/25 9:00 PM Game cheat/hack downloaded
NVIDIA_app_v11.0.6.383.exe in Downloads 3/25 1:27 PM Possibly trojanized NVIDIA installer
Trojanized NvContainer.exe (TLauncher signed) Active since ~3/25 Replaced real NVIDIA component
Staging files in SystemTemp (TLauncher/Famatech signed) 3/26–3/27 Malware deploying additional payloads
The Rainbow Six hack you downloaded on the 25th is almost certainly the initial dropper. Here's why:
1. The EXO folder on your Desktop contained .bin payload files all dated 3/25 at 9:00 PM — that's cheat loader data
2. SZ1WANQPJDK.COM was in that same EXO folder — Malwarebytes flagged it as Generic.Malware/Suspicious
3. DCONTROL.EXE on Desktop — this is "Defender Control," a tool to disable Windows Defender. The hack likely told you to "disable your AV before running" — that's a red flag every time
What the Malware Did (Full Picture)
Stage 1 — The R6 hack (Day 1, March 25):
• You ran the hack, it asked you to disable Defender (or used DCONTROL.EXE to do it automatically)
• It disabled Defender via IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies
• Dropped the EXO folder with cheat binaries + hidden malware
Stage 2 — Deployment (March 25–27):
• Installed SystemDiagnosticsHost.exe as a Windows Service (watchdog)
• Deployed svchostnon.exe — cryptominer using your RTX 3090 (that's why they target gamers — powerful GPUs)
• Deployed mppr.exe — backdoor/RAT (68GB virtual memory, accepting inbound connections)
• Replaced your user-local NvContainer.exe with a trojanized copy connecting to C2 server
• Installed VQ7KE2T7L5W.SYS — kernel rootkit driver (this is why files were invisible to Get-Item)
• Loaded DDB64.DLL — another bitcoin miner component
• Injected MSLDRIVER.DLL into explorer.exe — persistence + stealth (still loaded, deleted on reboot)
• Set Userinit hijack for reboot persistence
• Created 7+ scheduled tasks under fake names for respawning
Stage 3 — Ongoing operation:
• Mining crypto on your GPU/CPU 24/7
• Maintaining backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net
• The gogoduck registry key stored encoded C2 configuration
• Firewall rules allowed inbound connections (full remote access)
What's Likely Compromised
Assume everything is compromised:
• �� All saved passwords in Chrome/Edge — stealers grab these first
• �� Discord token — they can access your Discord as you
• �� Steam session — possible account theft
• �� Any banking/email open in browser
• �� OneDrive — HTGH.EXE was found IN your OneDrive folder (malware was syncing to cloud)
• �� Any files on your PC — the RAT had full access
Immediate Actions (from a different device)
1. Change ALL passwords NOW — from your phone or another computer
2. Enable 2FA everywhere — Steam, Discord, email, banking, Epic, Ubisoft
3. Revoke Discord tokens — change password (this invalidates old tokens)
4. Check bank/payment accounts for unauthorized activity
5. Reboot this PC — the renamed MSLDRIVER.DLL will be deleted and Defender can potentially re-enable
6. After reboot — run a full Malwarebytes scan again to confirm everything is clean
7. Never disable your AV to run a game hack — that's literally the malware telling you to open the door
The hack was the trojan horse. It worked as a cheat too — that's how they get you to keep running it.
�� Full Malware Inventory — R6 Cheat Dropper (March 25, 2026)
Infection Vector
• Source: Rainbow Six Siege hack download (March 25, 2026)
• Initial dropper: Cheat executable in C:\Users\...\Desktop\EXO\ folder
• Code-signing entity: Files falsely signed as "TLauncher Inc." and "Famatech Corp BVI" (both fake/stolen certs)
---
�� Malicious Files
File Location Purpose
svchostnon.exe C:\Windows\System32\ Cryptominer — consumed 25GB+ RAM, mimics svchost.exe
mppr.exe C:\Windows\System32\ RAT/Backdoor — 68GB virtual memory, accepted inbound connections
splwow32.exe C:\Windows\System32\ Malware loader — fake name mimicking real Windows print component
SystemDiagnosticsHost.exe C:\Windows\System32\ Watchdog service — respawns killed malware processes
CORPerfMonSymbols.exe C:\Windows\System32\ Login persistence — injected into Userinit registry
usbperfsym.exe C:\Windows\System32\ Scheduled task payload — launched by XCCProcess tasks
DDB64.DLL C:\Windows\System32\ BitcoinMiner module — loaded DLL for mining operations
MSLDRIVER.DLL C:\Windows\Media\ Trojan.Crypt.MSIL — injected into explorer.exe, survives logoff
VQ7KE2T7L5W.SYS C:\Windows\System32\drivers\ Kernel rootkit driver — ring-0 access, hides malware from OS
NvContainer.exe C:\Users\...\AppData\Local\NVIDIA Corporation\NVIDIA App\ Trojanized NVIDIA — fake NvContainer, connected to C2 server. Signed "TLauncher Inc.", HashMismatch
NvContainer.exe C:\Windows\SYSTEM32\config\systemprofile\AppData\L ocal\NVIDIA Corporation\NVIDIA App\ Same trojan — SYSTEM profile copy
RC_ConnectedAccount.exe C:\Windows\SystemTemp\ Staging dropper — signed "Famatech Corp BVI"
2 more files C:\Windows\SystemTemp\ Staging files — signed as fake "TLauncher" and fake "Node.js"
BGDIUE.EXE C:\Users\...\AppData\Local\Temp\ Malware payload
DCONTROL.EXE C:\Users\...\Desktop\ DefenderControl — disables Windows Defender (Stage 1 of attack)
SZ1WANQPJDK.COM C:\Users\...\Desktop\EXO\ Generic.Malware
HTGH.EXE C:\Users\...\OneDrive\Desktop\ Malware syncing to cloud via OneDrive
8× TMP*.EXE files C:\Users\...\AppData\Local\Temp\ Temporary malware executables
TMPEEB7 C:\Users\...\AppData\Local\Temp\ Temp malware payload
---
⚙️ Malicious Windows Service
Service Name Display Name Executable Purpose
System Diagnostics Host System Diagnostics Host SystemDiagnosticsHost.exe Watchdog — auto-restarts killed malware. Registered as real Windows service. Ran as SYSTEM.
---
�� Malicious Scheduled Tasks (7+)
Task Name Executable Purpose
XCCProcess (×3+ variants) usbperfsym.exe Persistence — launches miner/RAT components
NVIDIA App SelfUpdate Trojanized NvContainer.exe Fake NVIDIA update task — persistence for C2 backdoor
3+ additional unnamed tasks Various malware EXEs Auto-restart and deployment
---
�� Registry Hijacks
Registry Path Value Malware Set To Purpose
HKLM\...\Image File Execution Options\mpcmdrun.exe Debugger systray.exe IFEO Hijack — redirects Defender's CLI scanner to a dummy, prevents Defender from scanning
HKLM\...\Winlogon Userinit userinit.exe, CORPerfMonSymbols.exe Login persistence — malware runs every time ANY user logs in
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill — policy-level disable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill — policy-level disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill — direct key disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill — direct key disable
HKCU\SOFTWARE\gogoduck (entire key) Base64-encoded data RiskWare — encoded config/payload data
---
�� Malicious Firewall Rules
Rule Name Direction Action Target
XCCProcess (×4 rules) Inbound Allow mppr.exe — allows remote attackers to connect IN to the RAT
---
�� C2 (Command & Control) Server
Domain Port Protocol Connected By
vviukjdsjnj25i5.bounceme.net 12666 TCP Trojanized NvContainer.exe
Stage 1: DCONTROL.EXE disables Windows Defender
↓
Stage 2: Dropper deploys all components
├── Cryptominer: svchostnon.exe + DDB64.DLL (Bitcoin mining)
├── RAT/Backdoor: mppr.exe (remote access, 68GB virtual memory)
├── Rootkit: VQ7KE2T7L5W.SYS (kernel-level hiding)
├── C2 Beacon: NvContainer.exe → bounceme.net:12666
└── DLL Inject: MSLDRIVER.DLL → explorer.exe
↓
Stage 3: Persistence installed
├── Windows Service: "System Diagnostics Host" (watchdog)
├── 7+ Scheduled Tasks (XCCProcess, fake NVIDIA update)
├── IFEO hijack on mpcmdrun.exe (blocks Defender scans)
├── Userinit hijack (runs on every login)
├── Firewall rules (allows inbound RAT connections)
└── Registry disable of Defender (4 keys)
Infection Timeline & Source Analysis
March 25, 2026 — this is the key date. Everything started here.
Evidence | Date | What it tells us
EXO folder with .bin payloads | 3/25 9:00 PM | Cheat loader + malware payload
Suspicious NVIDIA installer in Downloads | 3/25 1:27 PM | Likely trojanized installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legit NVIDIA component
SystemTemp staging files | 3/26–3/27 | Malware deploying additional payloads
The cheat I downloaded that day was the initial dropper.
Here’s how I know:
EXO folder had payload files all timestamped the same time
There was a flagged suspicious file inside that folder
There was also a tool used to disable Windows Defender
That’s the classic setup — disable AV → run payload.
What the Malware Did (Full Breakdown)
Stage 1 — Initial Execution (March 25)
Disabled Windows Defender using registry + IFEO hijack
Dropped payload files
Set up initial persistence
Stage 2 — Deployment (March 25–27)
Installed a watchdog service to respawn malware
Deployed a cryptominer (using GPU/CPU)
Deployed a RAT/backdoor (accepting inbound connections)
Replaced legitimate NVIDIA process with trojanized version
Installed a kernel-level rootkit driver (hides everything)
Injected DLL into explorer.exe for stealth
Stage 3 — Ongoing Operation
Mining crypto constantly
Maintaining remote access to the machine
Using firewall rules to allow inbound connections
Storing encoded config data in registry
Syncing malware-related files to cloud storage
Command & Control (C2)
Connected to remote server:
vviukjdsjnj25i5.bounceme.net:12666
This is how they:
Control the system
Send commands
Pull data
What’s Likely Compromised
At this point, assume everything:
Browser saved passwords (Chrome/Edge)
Discord account/token
Steam and other gaming accounts
Email accounts
Banking/payment sessions
Any files on the PC
Cloud storage (files were syncing)
This wasn’t just local — it had full access.
Malware Components Identified
Executables:
svchostnon.exe → cryptominer
mppr.exe → RAT/backdoor
SystemDiagnosticsHost.exe → watchdog service
CORPerfMonSymbols.exe → login persistence
usbperfsym.exe → scheduled task payload
NvContainer.exe → trojanized NVIDIA process
DLLs / Drivers:
DDB64.DLL → mining module
MSLDRIVER.DLL → injected into explorer.exe
VQ7KE2T7L5W.SYS → kernel rootkit
Persistence Mechanisms
Fake Windows service running as SYSTEM
7+ scheduled tasks (auto-relaunch malware)
Userinit registry hijack (runs on login)
IFEO hijack blocking Defender scans
Multiple registry keys disabling Defender
Firewall rules allowing inbound RAT access
Bottom Line
This wasn’t just “a virus”
This was:
Multi-stage infection
Crypto miner
Full remote access backdoor
Kernel-level rootkit
Once that rootkit is in, the system cannot be trusted.
Immediate Actions I Took / Recommend
From another device:
Changed ALL passwords
Enabled 2FA everywhere
Revoked sessions/tokens (Discord, Steam, etc.)
Checked financial accounts
On the infected PC:
Rebooted system
Ran full malware scans
**WARNING: This is a highly sophisticated multi-stage malware infection**
Infection Date: March 25, 2026
Initial Vector: Rainbow Six Siege game hack / cheat (the trojan horse that also worked as a functional cheat)
---
Infection Timeline & Source Analysis
Key Date: March 25, 2026
Evidence | Date/Time | What It Tells Us
--- | --- | ---
EXO folder on Desktop (.bin payloads) | 3/25 9:00 PM | Game cheat/hack downloaded + malware dropper
NVIDIA_app_v11.0.6.383.exe | 3/25 1:27 PM | Likely trojanized NVIDIA installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legitimate NVIDIA component
Staging files in SystemTemp | 3/26–3/27 | Malware deploying additional payloads
How we know the Rainbow Six hack was the initial dropper:
1. The EXO folder on your Desktop contained .bin payload files all timestamped 3/25 at 9:00 PM — classic cheat loader data.
2. SZ1WANQPJDK.COM was in the same EXO folder — flagged by Malwarebytes as Generic.Malware/Suspicious.
3. DCONTROL.EXE on Desktop — this is "Defender Control", a tool that disables Windows Defender. The hack almost certainly instructed you to "disable your antivirus before running" (a universal red flag).
---
What The Malware Did (Full Breakdown)
Stage 1 — Initial Execution (March 25)
- Ran the R6 hack, which prompted (or automatically ran) DCONTROL.EXE to disable Windows Defender.
- Disabled Defender through multiple methods: IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies.
- Dropped the EXO folder containing cheat binaries + hidden malware payloads.
Stage 2 — Deployment (March 25–27)
- Installed SystemDiagnosticsHost.exe as a legitimate-looking Windows Service (watchdog).
- Deployed svchostnon.exe — cryptominer aggressively using your RTX 3090 GPU.
- Deployed mppr.exe — full-featured RAT/backdoor (68 GB virtual memory, accepting inbound connections).
- Replaced your user-local NvContainer.exe with a trojanized version (signed with stolen "TLauncher Inc." certificate) that connects to a C2 server.
- Installed VQ7KE2T7L5W.SYS — kernel-mode rootkit driver.
- Loaded DDB64.DLL — additional Bitcoin miner component.
- Injected MSLDRIVER.DLL into explorer.exe for persistence and stealth (deleted on reboot).
- Set Userinit registry hijack for boot/login persistence.
- Created 7+ scheduled tasks under fake names to keep respawning components.
Stage 3 — Ongoing Operation
- Cryptomining 24/7 on your GPU and CPU.
- Maintaining persistent backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net.
- Storing encoded C2 configuration in the gogoduck registry key.
- Creating firewall rules to allow inbound remote connections.
- Syncing malware files to your OneDrive (HTGH.EXE was found in your OneDrive folder).
---
Full Malware Inventory
Malicious Files:
File | Location | Purpose
--- | --- | ---
svchostnon.exe | C:\Windows\System32\ | Cryptominer (high RAM + GPU usage, mimics svchost.exe)
mppr.exe | C:\Windows\System32\ | RAT/Backdoor (accepts inbound connections)
splwow32.exe | C:\Windows\System32\ | Malware loader (fake Windows print spooler name)
SystemDiagnosticsHost.exe | C:\Windows\System32\ | Watchdog service — respawns killed malware
CORPerfMonSymbols.exe | C:\Windows\System32\ | Login persistence (injected via Userinit)
usbperfsym.exe | C:\Windows\System32\ | Scheduled task payload
DDB64.DLL | C:\Windows\System32\ | Bitcoin miner DLL
MSLDRIVER.DLL | C:\Windows\Media\ | Trojan DLL injected into explorer.exe
VQ7KE2T7L5W.SYS | C:\Windows\System32\drivers\ | Kernel rootkit (hides files/processes)
NvContainer.exe | Multiple (User + SYSTEM NVIDIA folders) | Trojanized NVIDIA component connecting to C2 (fake "TLauncher Inc." signature)
RC_ConnectedAccount.exe | C:\Windows\SystemTemp\ | Staging dropper (signed "Famatech Corp BVI")
BGDIUE.EXE | C:\Users\...\AppData\Local\Temp\ | Malware payload
DCONTROL.EXE | Desktop | Defender Control (disables antivirus)
SZ1WANQPJDK.COM | Desktop\EXO\ | Suspicious malware component
HTGH.EXE | OneDrive\Desktop\ | Malware that synced to cloud storage
Multiple TMP*.EXE files | C:\Users\...\AppData\Local\Temp\ | Temporary malware executables
Malicious Windows Service:
Service Name: System Diagnostics Host
Display Name: System Diagnostics Host
Executable: SystemDiagnosticsHost.exe
Purpose: Watchdog — runs as SYSTEM and restarts malware if killed
Malicious Scheduled Tasks (7+):
Task Name | Executable | Purpose
--- | --- | ---
XCCProcess (multiple variants) | usbperfsym.exe | Persistence — relaunches miner and RAT
NVIDIA App SelfUpdate | Trojanized NvContainer.exe | Fake update task for C2 backdoor
Additional unnamed tasks | Various | Auto-restart and deployment
Registry Hijacks & Modifications:
Registry Path | Value | Set To | Purpose
--- | --- | --- | ---
HKLM\...\Image File Execution Options\mpcmdrun.exe | Debugger | systray.exe | Blocks Windows Defender scans
HKLM\...\Winlogon\Userinit | Userinit | userinit.exe, CORPerfMonSymbols.exe | Runs malware on every login
Multiple Defender keys (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, etc.) | DisableAntiSpyware / DisableAntiVirus | 1 | Completely disables Windows Defender
HKCU\SOFTWARE\gogoduck | (entire key) | Base64-encoded data | Stores encoded C2 configuration
Malicious Firewall Rules:
Rule Name | Direction | Action | Target
--- | --- | --- | ---
XCCProcess (×4) | Inbound | Allow | mppr.exe — allows remote attackers to connect to the RAT
Command & Control (C2) Server:
Domain: vviukjdsjnj25i5.bounceme.net
Port: 12666 (TCP)
Connected by: Trojanized NvContainer.exe
---
What Is Likely Compromised
Assume everything on this PC is compromised:
- All saved passwords in Chrome, Edge, and other browsers
- Discord token (attacker can fully impersonate you)
- Steam, Epic, Ubisoft accounts (gaming session theft)
- Banking, email, and payment accounts that were open in browsers
- OneDrive / cloud storage (malware was actively syncing files)
- Any personal or work files on the PC
- Full remote access via the RAT
---
Immediate Recommended Actions (Do These Now)
From a clean device (phone or another computer):
1. Change ALL passwords immediately — especially email, banking, Discord, Steam, Epic, and Ubisoft.
2. Enable 2FA / MFA everywhere (use an authenticator app, not SMS when possible).
3. Revoke active sessions/tokens: Change Discord password (invalidates old tokens). Log out of all Steam/Epic/Ubisoft sessions.
4. Check bank and payment accounts for unauthorized transactions.
5. Review any accounts linked to the compromised email.
On the infected PC:
1. Reboot — this removes the injected MSLDRIVER.DLL from memory.
2. After reboot, run a full Malwarebytes scan (and preferably a second reputable scanner).
3. Never disable your antivirus to run a game hack again. This is exactly how they get you.
---
Bottom Line
This was not a simple virus.
It was a professional-grade, multi-stage infection consisting of:
- Functional game cheat (to lure you)
- Cryptocurrency miner (targeting gamers with powerful GPUs)
- Full remote access trojan (RAT)
- Kernel-level rootkit for maximum stealth
- Multiple persistence mechanisms (service, tasks, registry hijacks, firewall rules)
The system cannot be fully trusted even after cleaning. If you have extremely sensitive data, consider a full wipe and reinstall of Windows.
Stay safe — and avoid downloading game cheats.