Originally Posted by Jlmods
(Post 40553264)
THIS IS A VIRUS IT MINE BITCOIN AND STEALS YOUR INFORMATION
Infection Timeline & Source Analysis
March 25, 2026 This is the key date. Multiple things appeared that day:
Evidence Date What it tells us
EXO folder on Desktop (cheat payload .bin files) 3/25 9:00 PM Game cheat/hack downloaded
NVIDIA_app_v11.0.6.383.exe in Downloads 3/25 1:27 PM Possibly trojanized NVIDIA installer
Trojanized NvContainer.exe (TLauncher signed) Active since ~3/25 Replaced real NVIDIA component
Staging files in SystemTemp (TLauncher/Famatech signed) 3/263/27 Malware deploying additional payloads
The Rainbow Six hack you downloaded on the 25th is almost certainly the initial dropper. Here's why:
1. The EXO folder on your Desktop contained .bin payload files all dated 3/25 at 9:00 PM that's cheat loader data
2. SZ1WANQPJDK.COM was in that same EXO folder Malwarebytes flagged it as Generic.Malware/Suspicious
3. DCONTROL.EXE on Desktop this is "Defender Control," a tool to disable Windows Defender. The hack likely told you to "disable your AV before running" that's a red flag every time
What the Malware Did (Full Picture)
Stage 1 The R6 hack (Day 1, March 25):
You ran the hack, it asked you to disable Defender (or used DCONTROL.EXE to do it automatically)
It disabled Defender via IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies
Dropped the EXO folder with cheat binaries + hidden malware
Stage 2 Deployment (March 2527):
Installed SystemDiagnosticsHost.exe as a Windows Service (watchdog)
Deployed svchostnon.exe cryptominer using your RTX 3090 (that's why they target gamers powerful GPUs)
Deployed mppr.exe backdoor/RAT (68GB virtual memory, accepting inbound connections)
Replaced your user-local NvContainer.exe with a trojanized copy connecting to C2 server
Installed VQ7KE2T7L5W.SYS kernel rootkit driver (this is why files were invisible to Get-Item)
Loaded DDB64.DLL another bitcoin miner component
Injected MSLDRIVER.DLL into explorer.exe persistence + stealth (still loaded, deleted on reboot)
Set Userinit hijack for reboot persistence
Created 7+ scheduled tasks under fake names for respawning
Stage 3 Ongoing operation:
Mining crypto on your GPU/CPU 24/7
Maintaining backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net
The gogoduck registry key stored encoded C2 configuration
Firewall rules allowed inbound connections (full remote access)
What's Likely Compromised
Assume everything is compromised:
�� All saved passwords in Chrome/Edge stealers grab these first
�� Discord token they can access your Discord as you
�� Steam session possible account theft
�� Any banking/email open in browser
�� OneDrive HTGH.EXE was found IN your OneDrive folder (malware was syncing to cloud)
�� Any files on your PC the RAT had full access
Immediate Actions (from a different device)
1. Change ALL passwords NOW from your phone or another computer
2. Enable 2FA everywhere Steam, Discord, email, banking, Epic, Ubisoft
3. Revoke Discord tokens change password (this invalidates old tokens)
4. Check bank/payment accounts for unauthorized activity
5. Reboot this PC the renamed MSLDRIVER.DLL will be deleted and Defender can potentially re-enable
6. After reboot run a full Malwarebytes scan again to confirm everything is clean
7. Never disable your AV to run a game hack that's literally the malware telling you to open the door
The hack was the trojan horse. It worked as a cheat too that's how they get you to keep running it.
�� Full Malware Inventory R6 Cheat Dropper (March 25, 2026)
Infection Vector
Source: Rainbow Six Siege hack download (March 25, 2026)
Initial dropper: Cheat executable in C:\Users\...\Desktop\EXO\ folder
Code-signing entity: Files falsely signed as "TLauncher Inc." and "Famatech Corp BVI" (both fake/stolen certs)
---
�� Malicious Files
File Location Purpose
svchostnon.exe C:\Windows\System32\ Cryptominer consumed 25GB+ RAM, mimics svchost.exe
mppr.exe C:\Windows\System32\ RAT/Backdoor 68GB virtual memory, accepted inbound connections
splwow32.exe C:\Windows\System32\ Malware loader fake name mimicking real Windows print component
SystemDiagnosticsHost.exe C:\Windows\System32\ Watchdog service respawns killed malware processes
CORPerfMonSymbols.exe C:\Windows\System32\ Login persistence injected into Userinit registry
usbperfsym.exe C:\Windows\System32\ Scheduled task payload launched by XCCProcess tasks
DDB64.DLL C:\Windows\System32\ BitcoinMiner module loaded DLL for mining operations
MSLDRIVER.DLL C:\Windows\Media\ Trojan.Crypt.MSIL injected into explorer.exe, survives logoff
VQ7KE2T7L5W.SYS C:\Windows\System32\drivers\ Kernel rootkit driver ring-0 access, hides malware from OS
NvContainer.exe C:\Users\...\AppData\Local\NVIDIA Corporation\NVIDIA App\ Trojanized NVIDIA fake NvContainer, connected to C2 server. Signed "TLauncher Inc.", HashMismatch
NvContainer.exe C:\Windows\SYSTEM32\config\systemprofile\AppData\L ocal\NVIDIA Corporation\NVIDIA App\ Same trojan SYSTEM profile copy
RC_ConnectedAccount.exe C:\Windows\SystemTemp\ Staging dropper signed "Famatech Corp BVI"
2 more files C:\Windows\SystemTemp\ Staging files signed as fake "TLauncher" and fake "Node.js"
BGDIUE.EXE C:\Users\...\AppData\Local\Temp\ Malware payload
DCONTROL.EXE C:\Users\...\Desktop\ DefenderControl disables Windows Defender (Stage 1 of attack)
SZ1WANQPJDK.COM C:\Users\...\Desktop\EXO\ Generic.Malware
HTGH.EXE C:\Users\...\OneDrive\Desktop\ Malware syncing to cloud via OneDrive
8Χ TMP*.EXE files C:\Users\...\AppData\Local\Temp\ Temporary malware executables
TMPEEB7 C:\Users\...\AppData\Local\Temp\ Temp malware payload
---
⚙️ Malicious Windows Service
Service Name Display Name Executable Purpose
System Diagnostics Host System Diagnostics Host SystemDiagnosticsHost.exe Watchdog auto-restarts killed malware. Registered as real Windows service. Ran as SYSTEM.
---
�� Malicious Scheduled Tasks (7+)
Task Name Executable Purpose
XCCProcess (Χ3+ variants) usbperfsym.exe Persistence launches miner/RAT components
NVIDIA App SelfUpdate Trojanized NvContainer.exe Fake NVIDIA update task persistence for C2 backdoor
3+ additional unnamed tasks Various malware EXEs Auto-restart and deployment
---
�� Registry Hijacks
Registry Path Value Malware Set To Purpose
HKLM\...\Image File Execution Options\mpcmdrun.exe Debugger systray.exe IFEO Hijack redirects Defender's CLI scanner to a dummy, prevents Defender from scanning
HKLM\...\Winlogon Userinit userinit.exe, CORPerfMonSymbols.exe Login persistence malware runs every time ANY user logs in
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill policy-level disable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill policy-level disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiSpyware 1 Defender kill direct key disable
HKLM\SOFTWARE\Microsoft\Windows Defender DisableAntiVirus 1 Defender kill direct key disable
HKCU\SOFTWARE\gogoduck (entire key) Base64-encoded data RiskWare encoded config/payload data
---
�� Malicious Firewall Rules
Rule Name Direction Action Target
XCCProcess (Χ4 rules) Inbound Allow mppr.exe allows remote attackers to connect IN to the RAT
---
�� C2 (Command & Control) Server
Domain Port Protocol Connected By
vviukjdsjnj25i5.bounceme.net 12666 TCP Trojanized NvContainer.exe
Stage 1: DCONTROL.EXE disables Windows Defender
↓
Stage 2: Dropper deploys all components
├── Cryptominer: svchostnon.exe + DDB64.DLL (Bitcoin mining)
├── RAT/Backdoor: mppr.exe (remote access, 68GB virtual memory)
├── Rootkit: VQ7KE2T7L5W.SYS (kernel-level hiding)
├── C2 Beacon: NvContainer.exe → bounceme.net:12666
└── DLL Inject: MSLDRIVER.DLL → explorer.exe
↓
Stage 3: Persistence installed
├── Windows Service: "System Diagnostics Host" (watchdog)
├── 7+ Scheduled Tasks (XCCProcess, fake NVIDIA update)
├── IFEO hijack on mpcmdrun.exe (blocks Defender scans)
├── Userinit hijack (runs on every login)
├── Firewall rules (allows inbound RAT connections)
└── Registry disable of Defender (4 keys)
Infection Timeline & Source Analysis
March 25, 2026 this is the key date. Everything started here.
Evidence | Date | What it tells us
EXO folder with .bin payloads | 3/25 9:00 PM | Cheat loader + malware payload
Suspicious NVIDIA installer in Downloads | 3/25 1:27 PM | Likely trojanized installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legit NVIDIA component
SystemTemp staging files | 3/263/27 | Malware deploying additional payloads
The cheat I downloaded that day was the initial dropper.
Heres how I know:
EXO folder had payload files all timestamped the same time
There was a flagged suspicious file inside that folder
There was also a tool used to disable Windows Defender
Thats the classic setup disable AV → run payload.
What the Malware Did (Full Breakdown)
Stage 1 Initial Execution (March 25)
Disabled Windows Defender using registry + IFEO hijack
Dropped payload files
Set up initial persistence
Stage 2 Deployment (March 2527)
Installed a watchdog service to respawn malware
Deployed a cryptominer (using GPU/CPU)
Deployed a RAT/backdoor (accepting inbound connections)
Replaced legitimate NVIDIA process with trojanized version
Installed a kernel-level rootkit driver (hides everything)
Injected DLL into explorer.exe for stealth
Stage 3 Ongoing Operation
Mining crypto constantly
Maintaining remote access to the machine
Using firewall rules to allow inbound connections
Storing encoded config data in registry
Syncing malware-related files to cloud storage
Command & Control (C2)
Connected to remote server:
vviukjdsjnj25i5.bounceme.net:12666
This is how they:
Control the system
Send commands
Pull data
Whats Likely Compromised
At this point, assume everything:
Browser saved passwords (Chrome/Edge)
Discord account/token
Steam and other gaming accounts
Email accounts
Banking/payment sessions
Any files on the PC
Cloud storage (files were syncing)
This wasnt just local it had full access.
Malware Components Identified
Executables:
svchostnon.exe → cryptominer
mppr.exe → RAT/backdoor
SystemDiagnosticsHost.exe → watchdog service
CORPerfMonSymbols.exe → login persistence
usbperfsym.exe → scheduled task payload
NvContainer.exe → trojanized NVIDIA process
DLLs / Drivers:
DDB64.DLL → mining module
MSLDRIVER.DLL → injected into explorer.exe
VQ7KE2T7L5W.SYS → kernel rootkit
Persistence Mechanisms
Fake Windows service running as SYSTEM
7+ scheduled tasks (auto-relaunch malware)
Userinit registry hijack (runs on login)
IFEO hijack blocking Defender scans
Multiple registry keys disabling Defender
Firewall rules allowing inbound RAT access
Bottom Line
This wasnt just a virus
This was:
Multi-stage infection
Crypto miner
Full remote access backdoor
Kernel-level rootkit
Once that rootkit is in, the system cannot be trusted.
Immediate Actions I Took / Recommend
From another device:
Changed ALL passwords
Enabled 2FA everywhere
Revoked sessions/tokens (Discord, Steam, etc.)
Checked financial accounts
On the infected PC:
Rebooted system
Ran full malware scans
**WARNING: This is a highly sophisticated multi-stage malware infection**
Infection Date: March 25, 2026
Initial Vector: Rainbow Six Siege game hack / cheat (the trojan horse that also worked as a functional cheat)
---
Infection Timeline & Source Analysis
Key Date: March 25, 2026
Evidence | Date/Time | What It Tells Us
--- | --- | ---
EXO folder on Desktop (.bin payloads) | 3/25 9:00 PM | Game cheat/hack downloaded + malware dropper
NVIDIA_app_v11.0.6.383.exe | 3/25 1:27 PM | Likely trojanized NVIDIA installer
Trojanized NvContainer.exe | Active since ~3/25 | Replaced legitimate NVIDIA component
Staging files in SystemTemp | 3/263/27 | Malware deploying additional payloads
How we know the Rainbow Six hack was the initial dropper:
1. The EXO folder on your Desktop contained .bin payload files all timestamped 3/25 at 9:00 PM classic cheat loader data.
2. SZ1WANQPJDK.COM was in the same EXO folder flagged by Malwarebytes as Generic.Malware/Suspicious.
3. DCONTROL.EXE on Desktop this is "Defender Control", a tool that disables Windows Defender. The hack almost certainly instructed you to "disable your antivirus before running" (a universal red flag).
---
What The Malware Did (Full Breakdown)
Stage 1 Initial Execution (March 25)
- Ran the R6 hack, which prompted (or automatically ran) DCONTROL.EXE to disable Windows Defender.
- Disabled Defender through multiple methods: IFEO hijack (mpcmdrun.exe → systray.exe) and registry policies.
- Dropped the EXO folder containing cheat binaries + hidden malware payloads.
Stage 2 Deployment (March 2527)
- Installed SystemDiagnosticsHost.exe as a legitimate-looking Windows Service (watchdog).
- Deployed svchostnon.exe cryptominer aggressively using your RTX 3090 GPU.
- Deployed mppr.exe full-featured RAT/backdoor (68 GB virtual memory, accepting inbound connections).
- Replaced your user-local NvContainer.exe with a trojanized version (signed with stolen "TLauncher Inc." certificate) that connects to a C2 server.
- Installed VQ7KE2T7L5W.SYS kernel-mode rootkit driver.
- Loaded DDB64.DLL additional Bitcoin miner component.
- Injected MSLDRIVER.DLL into explorer.exe for persistence and stealth (deleted on reboot).
- Set Userinit registry hijack for boot/login persistence.
- Created 7+ scheduled tasks under fake names to keep respawning components.
Stage 3 Ongoing Operation
- Cryptomining 24/7 on your GPU and CPU.
- Maintaining persistent backdoor access via port 12666 to vviukjdsjnj25i5.bounceme.net.
- Storing encoded C2 configuration in the gogoduck registry key.
- Creating firewall rules to allow inbound remote connections.
- Syncing malware files to your OneDrive (HTGH.EXE was found in your OneDrive folder).
---
Full Malware Inventory
Malicious Files:
File | Location | Purpose
--- | --- | ---
svchostnon.exe | C:\Windows\System32\ | Cryptominer (high RAM + GPU usage, mimics svchost.exe)
mppr.exe | C:\Windows\System32\ | RAT/Backdoor (accepts inbound connections)
splwow32.exe | C:\Windows\System32\ | Malware loader (fake Windows print spooler name)
SystemDiagnosticsHost.exe | C:\Windows\System32\ | Watchdog service respawns killed malware
CORPerfMonSymbols.exe | C:\Windows\System32\ | Login persistence (injected via Userinit)
usbperfsym.exe | C:\Windows\System32\ | Scheduled task payload
DDB64.DLL | C:\Windows\System32\ | Bitcoin miner DLL
MSLDRIVER.DLL | C:\Windows\Media\ | Trojan DLL injected into explorer.exe
VQ7KE2T7L5W.SYS | C:\Windows\System32\drivers\ | Kernel rootkit (hides files/processes)
NvContainer.exe | Multiple (User + SYSTEM NVIDIA folders) | Trojanized NVIDIA component connecting to C2 (fake "TLauncher Inc." signature)
RC_ConnectedAccount.exe | C:\Windows\SystemTemp\ | Staging dropper (signed "Famatech Corp BVI")
BGDIUE.EXE | C:\Users\...\AppData\Local\Temp\ | Malware payload
DCONTROL.EXE | Desktop | Defender Control (disables antivirus)
SZ1WANQPJDK.COM | Desktop\EXO\ | Suspicious malware component
HTGH.EXE | OneDrive\Desktop\ | Malware that synced to cloud storage
Multiple TMP*.EXE files | C:\Users\...\AppData\Local\Temp\ | Temporary malware executables
Malicious Windows Service:
Service Name: System Diagnostics Host
Display Name: System Diagnostics Host
Executable: SystemDiagnosticsHost.exe
Purpose: Watchdog runs as SYSTEM and restarts malware if killed
Malicious Scheduled Tasks (7+):
Task Name | Executable | Purpose
--- | --- | ---
XCCProcess (multiple variants) | usbperfsym.exe | Persistence relaunches miner and RAT
NVIDIA App SelfUpdate | Trojanized NvContainer.exe | Fake update task for C2 backdoor
Additional unnamed tasks | Various | Auto-restart and deployment
Registry Hijacks & Modifications:
Registry Path | Value | Set To | Purpose
--- | --- | --- | ---
HKLM\...\Image File Execution Options\mpcmdrun.exe | Debugger | systray.exe | Blocks Windows Defender scans
HKLM\...\Winlogon\Userinit | Userinit | userinit.exe, CORPerfMonSymbols.exe | Runs malware on every login
Multiple Defender keys (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, etc.) | DisableAntiSpyware / DisableAntiVirus | 1 | Completely disables Windows Defender
HKCU\SOFTWARE\gogoduck | (entire key) | Base64-encoded data | Stores encoded C2 configuration
Malicious Firewall Rules:
Rule Name | Direction | Action | Target
--- | --- | --- | ---
XCCProcess (Χ4) | Inbound | Allow | mppr.exe allows remote attackers to connect to the RAT
Command & Control (C2) Server:
Domain: vviukjdsjnj25i5.bounceme.net
Port: 12666 (TCP)
Connected by: Trojanized NvContainer.exe
---
What Is Likely Compromised
Assume everything on this PC is compromised:
- All saved passwords in Chrome, Edge, and other browsers
- Discord token (attacker can fully impersonate you)
- Steam, Epic, Ubisoft accounts (gaming session theft)
- Banking, email, and payment accounts that were open in browsers
- OneDrive / cloud storage (malware was actively syncing files)
- Any personal or work files on the PC
- Full remote access via the RAT
---
Immediate Recommended Actions (Do These Now)
From a clean device (phone or another computer):
1. Change ALL passwords immediately especially email, banking, Discord, Steam, Epic, and Ubisoft.
2. Enable 2FA / MFA everywhere (use an authenticator app, not SMS when possible).
3. Revoke active sessions/tokens: Change Discord password (invalidates old tokens). Log out of all Steam/Epic/Ubisoft sessions.
4. Check bank and payment accounts for unauthorized transactions.
5. Review any accounts linked to the compromised email.
On the infected PC:
1. Reboot this removes the injected MSLDRIVER.DLL from memory.
2. After reboot, run a full Malwarebytes scan (and preferably a second reputable scanner).
3. Never disable your antivirus to run a game hack again. This is exactly how they get you.
---
Bottom Line
This was not a simple virus.
It was a professional-grade, multi-stage infection consisting of:
- Functional game cheat (to lure you)
- Cryptocurrency miner (targeting gamers with powerful GPUs)
- Full remote access trojan (RAT)
- Kernel-level rootkit for maximum stealth
- Multiple persistence mechanisms (service, tasks, registry hijacks, firewall rules)
The system cannot be fully trusted even after cleaning. If you have extremely sensitive data, consider a full wipe and reinstall of Windows.
Stay safe and avoid downloading game cheats.
|
