LAST REPORT ID (OPTIONAL): No report detail See screenshot
NICK: vasko
IP (OPTIONAL): private
STEAM ID: STEAM_0:1:456579831
OTHER INFORMATION: Your program is detected as a malware and virus (source virustotal)
so I tested it before on my OracleVM test machine

I doubt that. If you considered the app a malware why did you tested on VM with your steam on? You either are dumb or lie to my face, but either way you won't get unbanned. You have to pay 5th degree unban fee for unban.

I tested it on VM with my steam because I'm not afraid of losing STEAM account , it protected by 2 factors authentication .
But i can't test it on my main Windows , where I'm using bank application , job and private data.

So who are dumb in this history ?

Your aggressive reaction prove that your program have something bad inside.
Virustotal report:
<b>You have to register to ba able to see this link</b> 2a14c70aa0b9f2/detection


So who are lier in this history ?

I see that your main aim is to force people to pay for unjustifiable bans , steal user data , steal _pw field and God knows what other illegal activity, punished by European and Romanian law.

I tested it on VM with my steam because I'm not afraid of losing STEAM account , it protected by 2 factors authentication .
But i can't test it on my main Windows , where I'm using bank application , job and private data.

So who are dumb in this history ?


Yeah... 2fa ... 2fa won't save any accounts if people are dumb... Read the news/studies...



Your aggressive reaction prove that your program have something bad inside.
Virustotal report:
<b>You have to register to ba able to see this link</b> 2a14c70aa0b9f2/detection


So who are lier in this history ?


You are free to analyze wCD, you are not allowed to create (fake) reports. It's a big difference.

Do you really think I've put a VirusTotal link and a checksum of the binaries on the download page if I would distributed malware?

Those are generic detections by AI / various internal systems. Learn the differences, or at least search the detection name on the internet and you find the same detection for a bunch of other executables which are clean, suspicious or malware. Those aren't signatures created by a human kind. Furthermore, search the VT history detection for that binary and you would see that AV removed (generic) detections on that binary.... I let you wonder and guess why they removed it.




I see that your main aim is to force people to pay for unjustifiable bans , steal user data , steal _pw field and God knows what other illegal activity, punished by European and Romanian law.


You are free to analyze wCD, but to speak garbage without analyzing the executable and come up with proof means you are mindless ape. Defamation is also "punished by European and Romanian law" and I can sue your ass for making false claims about my product. How about that?

LE: Why did you edited your first post and changed your SteamID / nick name? Are you afraid that someone would recognize you?

Yes I edited the main post because it's useless to post here. Anyway you will delete or hide it .
And your program and this thread making false claims and about my name and my Steam ID. And kids-admin on romanian servers are not able to analyze the game , but see only your suspicious program's report .

You become aggressive without any reason. just because I used VM and show to community the real last virustotal report.


Your program banned me just because I used it on real situation : VM+RealSteam+REal CS Server Connection
So it's not a fake report.

Wake up! The years, people play on Cloud Computing services like <b>You have to register to ba able to see this link</b> who provide you the real Virtual OS on cloud. And you program will detect it as a fake report :). It's ridiculous .
I can play on Linux's Steam or on Windows VM hosted by Linux , or any other VM for any reason. But you can't consider that the VM means a Fake report .
If during VM check you find all needed information as on real OS : active cstrike, active/last connection on CS Server, *.cfg files , dlls, process, IP, IE security settings and other information, why do you consider this as try to generate a fake report
And if your program can't work on VM, it's stupid to generate a damaging ban report.







Another report about the old and last version of your program :
Possibly checks for the presence of an Antivirus engine details
"avast" (Indicator: "avast")


Touches files in the Windows :
"<Input Sample>" touched file "%WINDIR%\Microsoft.NET\Framework\...."
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\msc orlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni .dll.aux"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\ v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\msc orlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni .dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\pubpol47.dat"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Windows.Forms\8990487b8c05ada1e1febe7dcb6c0410 \System.Windows.Forms.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Drawing\24db7e31c7ba5b0e824e2f521c0914bc\Syste m.Drawing.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem\250e8e6af918e7ca66787117bc8633e3\System.ni.dll .aux"

URLs:
Heuristic match: "WarGods.ro"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Heuristic match: "Email: amx_tiger@yahoo.com"
Pattern match: "<b>You have to register to ba able to see this link</b>"


Persistence
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Tries to sleep for a long time (more than two minutes)


I understand that you need a lot of access and information to find cheat's threads,
but you must understand the fears of the user to use this kind of program and try to run it on another pc or vm.



You can attack Virustotal for deformation .
I'm not IT virus expert , and I trust more famous Virustotal than famous romanian cs anticheat . You must understand it.
By the way to download your program or wg rereport I must deactivate Kaspersky Antivirus . I don't think it's nothing .

PS

Yeah... 2fa ... 2fa won't save any accounts if people are dumb... Read the news/studies...
So how I must protect my steam account ? Don't be dumb and do not run the suspicious program like wgc?
I propose you to write your phrase on page where dumb people download your program.
The people will trust you much more.

Yes I edited the main post because it's useless to post here. Anyway you will delete or hide it.

<b>You have to register to ba able to see this link</b>
<b>You have to register to ba able to see this link</b>!!!-Faceti-ceva-cat-mai-repede!!!
<b>You have to register to ba able to see this link</b>

I keep all these conspiracy topics, there's no reason for me to delete or hide them.



If during VM check you find all needed information as on real OS : active cstrike, active/last connection on CS Server, *.cfg files , dlls, process, IP, IE security settings and other information, why do you consider this as try to generate a fake report
And if your program can't work on VM, it's stupid to generate a damaging ban report.


Then what's stopping you from using a CS with injected cheat in it in your host, a running clean CS in your guest (VM) and creating a (fake) report using that VM when you are requested to do a wCD scan by an admin? I don't you think you thought about this scenario...

About that report... let me guess, <b>You have to register to ba able to see this link</b> report? From what I see it's an old version of wCD and I think you found one from a cracked wCD one. Can you post the link for that report?



Possibly checks for the presence of an Antivirus engine details
"avast" (Indicator: "avast")


There's no reference of "avast" string in wCD binary or it's memory. This can be easily caused if they run a scripts and injects data in wCD in order to monitor the process. You can test it yourself by opening a hex editor and searching for "avast" string in the binary or in binary's memory.



Touches files in the Windows :
"<Input Sample>" touched file "%WINDIR%\Microsoft.NET\Framework\...."
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\msc orlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni .dll.aux"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\ v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\msc orlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni .dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\pubpol47.dat"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Windows.Forms\8990487b8c05ada1e1febe7dcb6c0410 \System.Windows.Forms.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Drawing\24db7e31c7ba5b0e824e2f521c0914bc\Syste m.Drawing.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem\250e8e6af918e7ca66787117bc8633e3\System.ni.dll .aux"


Files required to load .NET Framework applications. .NET Framework loads these files.



URLs:
Heuristic match: "WarGods.ro"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Pattern match: "<b>You have to register to ba able to see this link</b>"
Heuristic match: "Email: amx_tiger@yahoo.com"
Pattern match: "<b>You have to register to ba able to see this link</b>"


Legit URLs from WarGods + URLs to get client IP (v4) address + Ethnocentric Regular Font (<b>You have to register to ba able to see this link</b>)



Pattern match: "<b>You have to register to ba able to see this link</b>"


There's no reference of this website in the wCD binary nor signatures. Are you sure you checked the report of the original binary file? Anyway, it was a cheat website. Still clean.
There was a reference "<b>You have to register to ba able to see this link</b>" string on a cracked version of wCD binary.



Persistence
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID
Evasive
Tries to sleep for a long time (more than two minutes)


Persistence -> legit, wCD writes unique id in registry
Writes data to a remote process -> legit, they opened the URL link using Internet Explorer and uses inter-process comunication
Fingerprint -> legit, ip address, hardware id, etc.
Queries kernel debugger information -> legit, ConfuserEx obfuscator that we use does that
Queries process information -> legit, wCD does that to get process information
Queries sensitive IE security settings -> legit, they opened the URL link using Internet Explorer ... Internet Explorer reads security settings...
Reads the active computer name -> legit, whenever you open a process there are numerous calls to get the current computer name
Reads the cryptographic machine GUID -> legit, indirectly needed to establish secure communication. Your browser uses this too.
Evasive -> maybe their algorithm thought it's evasive because they considered that the app doesn't do anything (read the next entry)
Tries to sleep for a long time (more than two minutes) -> if you don't have CS running of course it's sleeping .. there's nothing to be done xD



I understand that you need a lot of access and information to find cheat's threads,
but you must understand the fears of the user to use this kind of program and try to run it on another pc or vm.


As I said, you are free to analyze wCD but not to generate a (fake) report using VMs.



By the way to download your program or wg rereport I must deactivate Kaspersky Antivirus . I don't think it's nothing .


Maybe because of the ads?! Usually AV blocks these. Kaspersky doesn't detect wCD as you can see in the VT page. You can post here the detection name and if it's from wCD binary I will report it to Kaspersky.



So how I must protect my steam account ? Don't be dumb and do not run the suspicious program like wgc?


When you consider an app being malware and you want to test it inside a VM, you don't use your personal accounts or any other information about you. It's common logic... you totally throw away your logic (suspicious #1).

Recently, you ran wCD on your personal computer without worrying about that (suspicious #2).

Don't you think it's very suspicious what you did? I hope now you realize what I meant by "You either are dumb or lie to my face".

Thanks you for all this details , but i didn't said that wcd is a virus.
I explained the reason why I tested it on vm. Because to many suspicious (VirusTotal, Kaspersy, etc)




When you consider an app being malware and you want to test it inside a VM, you don't use your personal accounts or any other information about you. It's common logic... you totally throw away your logic (suspicious #1).
I told you VM was installed just for this test , and only private information is myIP and SteamID.



Recently, you ran wCD on your personal computer without worrying about that (suspicious #2).

Yes because I have an interest to be not banned on server where I'm playing.
I installed the special windows just to play CS and run wcd for satisfy child admins



As I said, you are free to analyze wCD but not to generate a (fake) report using VMs.

What is report?
(1) Run wcd with opened CS ?
or
(2) Run wcd with opened CS connected to the server

If (1) anyone can generate a fake clean report by running CS and wcd on sister's PC.




Then what's stopping you from using a CS with injected cheat in it in your host, a running clean CS in your guest (VM) and creating a (fake) report using that VM when you are requested to do a wCD scan by an admin? I don't you think you thought about this scenario...

(2) Because all admins say to do not disconnect from server or i will be banned. And WCD provide time , last name , last server name, Steam Id. If i will run the vm with another session of steam/cs it will be the different name or server. And any way it impossible to run 2 sessions of steam ,run the same game , be connected in same server (with same player name ) and have the same STEAMID.

I don't know all scenarios but you or wcd can't accuse me doing something wrong just because it runned on VM.
Its like: you don't like that your program is called a virus just because detection by "AI / various internal systems of virus total"

You can have 2 or more legit sessions of steam using same account for a short period of time if you use some tricks.

I decided to change my mind about your ban only because it was your first report, timestamps from that report and because you weren't connected to any server:

CS opened at: 28.11.2020 21:09:42
wCD TimeStamp: 28.11.2020 21:07:55
System time: 28.11.2020 21:11:12


If you use your VM to create another report you will be banned automatically and I won't unban you again.

I unbanned you, please check if everything works.

It's OK Thanks

You are welcome.

:locked: