OP 26 December, 2025 - 11:32 PM
(This post was last modified: 26 December, 2025 - 11:54 PM by HentaiRefund. Edited 7 times in total.)
Scammers Profile Link: https://cracked.sh/Tom-Nook
Sales Thread: https://cracked.sh/Thread-Supreme-%E2%AD...-%E2%AD%90
Screenshots of Communication: He deleted the Chat, basicly gave me the Tool, i did all and started the .exe, got Ratted by this, Windows defender turned off, Drivers installed that are blocking core isolation, Telling Windows im not a Admin while still showing as Admin, Installed https://syncromsp.com/platform/rmm/remote-access/, Changed thing in the Registery, almost a good Rat, if he wouldnt be so stupid and not make what he does on the PC in a hidden way, Fucking bitch
Additional Information:
I looked into the HEX Code:
TOOL DOWNLOAD (DONT RUN IT ITS A RAT IF YOU WANT TO CONFIRM THE THINGS I SAY, FEEL FREE TO DO IT): https://www.file-upload.net/download-155...01.7z.html
installed drivers was:
oem53.inf (Huawei incorporated)
oem55.inf (Huawei incorporated)
acedrv11.sys (Protect Software GMBH)
Huawei Technologies Co., Ltd. (hw_quusbmdm.sys)
most important:
do what you want with it, this user is a Scam and should not exist here if needed i can sent screenshots of the chat with the Owner, who confirms that hes a Scam
Sales Thread: https://cracked.sh/Thread-Supreme-%E2%AD...-%E2%AD%90
Screenshots of Communication: He deleted the Chat, basicly gave me the Tool, i did all and started the .exe, got Ratted by this, Windows defender turned off, Drivers installed that are blocking core isolation, Telling Windows im not a Admin while still showing as Admin, Installed https://syncromsp.com/platform/rmm/remote-access/, Changed thing in the Registery, almost a good Rat, if he wouldnt be so stupid and not make what he does on the PC in a hidden way, Fucking bitch
Additional Information:
I looked into the HEX Code:
- Hard-coded C2: at offset 0x0009BC40 the PE contains the literal bytes 68 74 74 70 73 3a 2f 2f 64 65 73 65 72 76 65 64 2e 6d 65 (https://deserved.me). Nearby strings include /api/camera/user/ (0x00097E50, bytes 2f 61 70 69 2f 63 61 6d 65 72 61 2f 75 73 65 72) and /api/camera/auth/login (0x0009D690, bytes 65 73 70 6f 6e 73 65 00 2f 61 70 69 2f 63 61 6d 65 72 61 2f 61 75 74 68 2f 6c 6f 67 69 6e 00 00). Together they prove the binary is wired to that domain and endpoints.
- Credential cache in registry: UTF‑16 blobs beginning at 0x0009BE60 encode SOFTWARE\DeservedCam, followed by value names AuthToken, LastAuthTime, Username, LicenseType, UserId, AccessCode, RememberLogin (bytes such as 57 00 41 00 52 00 45 00 5C 00 44 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 43 00 61 00 6D 00). That proves credentials are written to HKCU\SOFTWARE\DeservedCam.
- Local config footprint: DeservedCam.log repeatedly states “Loading configuration from: C:\Users\tbilisi\AppData\Local\DeservedCam\DeservedCam.ini” (lines 4, 425, 2108), showing persistence under %LOCALAPPDATA%\DeservedCam\.
- Persistent credential storage: the same log file records “Preserved login credentials for user … Settings reset completed with authentication data preserved” (e.g. lines 1383, 2098, 2157), confirming harvested credentials are kept between sessions.
- Active credential exfiltration: the PE imports WinINet functions such as HttpSendRequestA (ASCII string visible around offset 0x000D1C60). Runtime logs show HTTP request returned status 401 … Login request failed for each attempt (lines 46–57), proving the executable is actively transmitting login data via HTTPS.
- Fake Microsoft metadata: the version-info resource near 0x00105000 contains UTF‑16 strings dwmcore.exe and Microsoft Windows Operating System, demonstrating the malware impersonates a Windows component.
- Bundled MITM crack: CRACK\run_deserved_local.bat (lines 20–98) adds 127.0.0.1 deserved.me to the hosts file, installs a rogue certificate via mkcert, and launches python -u qwe.py. The Python script (CRACK\qwe.py:1–60) dumps every request and returns a canned JSON only for /api/camera/auth/login, proving the package is designed to intercept/listen for victim credentials.
- No legitimate driver files: FIX_DEVICE_CORRUPTION.bat claims to regsvr32 DLLs\IntegratedCameraFilter32/64.dll (lines 31–65), yet the DLLs folder contains only unsigned msvcp_win32.dll / msvcp_win64.dll. That mismatch shows the supposed driver registration is fake theatre.
TOOL DOWNLOAD (DONT RUN IT ITS A RAT IF YOU WANT TO CONFIRM THE THINGS I SAY, FEEL FREE TO DO IT): https://www.file-upload.net/download-155...01.7z.html
installed drivers was:
oem53.inf (Huawei incorporated)
oem55.inf (Huawei incorporated)
acedrv11.sys (Protect Software GMBH)
Huawei Technologies Co., Ltd. (hw_quusbmdm.sys)
most important:
- The bundled “drivers” are fake (msvcp_win*.dll pretending to be camera filters) and the UI metadata is forged (dwmcore.exe).
- does everything to Block the site deserved.me site where the tool is from, he worked with the owner together for a time, but they stopped, i cant say if the owner is safe or if he is also in the Scam.
- also it seems that he is activly stealing login datas for deserved.me which makes absolutly no sense for me, maybe he did it because when he still worked with the owner, he gave this tool to customers and stole at the same time the automatic login Details or something, atleast that is my guess, cant say 100% sure
so user scams peoples out of 300 EUR and after that also Rats the Victim =)
do what you want with it, this user is a Scam and should not exist here if needed i can sent screenshots of the chat with the Owner, who confirms that hes a Scam
![[Image: img%5D]](https://i.ibb.co/rDfr2Qd/ezgif-com-optimize.gif/img%5D)
![[Image: uWztodn.gif]](https://i.imgur.com/uWztodn.gif)
![[Image: clown2.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.sh%2Fimages%2Fsmilies%2Fclown2.gif)
