File name:

SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746

Full analysis: https://app.any.run/tasks/eec3a03a-1425-402e-950c-da0506e02eec
Verdict: Malicious activity
Analysis date: August 13, 2024, 14:37:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D123377520ED31E0A8F336150C6041F5

SHA1:

D6AE4E00D172933ADCC3D451A8104A9937AA4ED4

SHA256:

4988FD3A7DDA1657093B6D2FF5B7FEBE0924CDDA8C83117233003E1C3057A1BE

SSDEEP:

196608:wo88wAgsgOnWbLyKuVl0lCQW9ss1GCH+ji6K3bzE6hGQTP:N8+RWRug879seGC0i6Kr46Lj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6676)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6676)
      • msiexec.exe (PID: 5248)
      • dxlsetup-ma.exe (PID: 2852)
      • dxlsetup-ma.exe (PID: 5880)
      • msiexec.exe (PID: 3684)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • UpdaterUI.exe (PID: 4924)

    • Checks Windows Trust Settings

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6676)
      • mfemactl.exe (PID: 5476)
      • mfemactl.exe (PID: 6532)
      • masvc.exe (PID: 5956)
      • msiexec.exe (PID: 5248)
      • UpdaterUI.exe (PID: 4924)

    • Adds/modifies Windows certificates

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • dxlsetup-ma.exe (PID: 5880)
      • dxlsetup-ma.exe (PID: 2852)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6724)
      • macmnsvc.exe (PID: 3360)
      • masvc.exe (PID: 5956)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6676)

    • The process verifies whether the antivirus software is installed

      • msiexec.exe (PID: 6400)
      • mfemactl.exe (PID: 5476)
      • masvc.exe (PID: 5956)
      • macmnsvc.exe (PID: 3360)
      • maconfig.exe (PID: 7012)
      • mfemactl.exe (PID: 6532)
      • msiexec.exe (PID: 5248)
      • UpdaterUI.exe (PID: 4924)
      • msiexec.exe (PID: 6676)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6676)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 6676)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 6676)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6676)

    • Creates or modifies Windows services

      • maconfig.exe (PID: 7012)
      • masvc.exe (PID: 5956)

    • Application launched itself

      • dxlsetup-ma.exe (PID: 5880)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6400)
      • msiexec.exe (PID: 5248)
      • mfemactl.exe (PID: 5476)
      • maconfig.exe (PID: 7012)
      • macmnsvc.exe (PID: 3360)
      • UpdaterUI.exe (PID: 4924)
      • mfemactl.exe (PID: 6532)
      • masvc.exe (PID: 5956)
      • msiexec.exe (PID: 6676)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6676)
      • mfemactl.exe (PID: 5476)
      • msiexec.exe (PID: 5248)
      • maconfig.exe (PID: 7012)
      • macmnsvc.exe (PID: 3360)
      • masvc.exe (PID: 5956)
      • mfemactl.exe (PID: 6532)
      • UpdaterUI.exe (PID: 4924)

    • Reads the computer name

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6676)
      • msiexec.exe (PID: 6400)
      • mfemactl.exe (PID: 5476)
      • msiexec.exe (PID: 5248)
      • maconfig.exe (PID: 7012)
      • macmnsvc.exe (PID: 3360)
      • masvc.exe (PID: 5956)
      • mfemactl.exe (PID: 6532)
      • UpdaterUI.exe (PID: 4924)

    • Create files in a temporary directory

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • FrmInst.exe (PID: 6536)
      • msiexec.exe (PID: 6560)
      • msiexec.exe (PID: 6400)
      • mfemactl.exe (PID: 5476)
      • maconfig.exe (PID: 7012)
      • UpdaterUI.exe (PID: 4924)

    • Reads the software policy settings

      • SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe (PID: 6492)
      • msiexec.exe (PID: 6676)
      • masvc.exe (PID: 5956)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6676)

    • UPX packer has been detected

      • FrmInst.exe (PID: 6536)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6676)
      • msiexec.exe (PID: 5248)
      • msiexec.exe (PID: 3684)

    • Dropped object may contain TOR URL's

      • msiexec.exe (PID: 6676)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6676)

    • Creates files in the program directory

      • maconfig.exe (PID: 7012)
      • macmnsvc.exe (PID: 3360)
      • masvc.exe (PID: 5956)
      • mfemactl.exe (PID: 6532)

    • Application launched itself

      • msiexec.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:04 05:00:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 181248
InitializedDataSize: 90624
UninitializedDataSize: -
EntryPoint: 0x7cc0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.8.2.929
ProductVersionNumber: 5.8.2.929
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Musarubra US LLC.
FileDescription: Framework Package Stub
FileVersion: 5.8.2.929
InternalName: wstub32.exe
LegalCopyright: Copyright (C) 2024 Musarubra US LLC. All rights reserved
OriginalFileName: wstub32.exe
ProductName: Trellix Agent
ProductVersion: 5.8.2.929
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
57
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start securiteinfo.com.bscope.trojan.wacatac.4653.13746.exe THREAT frminst.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs mfemactl.exe maconfig.exe no specs macmnsvc.exe masvc.exe updaterui.exe mfemactl.exe mctray.exe no specs maconfig.exe no specs mcupdater.exe no specs dxlsetup-ma.exe dxlsetup-ma.exe SPPSurrogate no specs mfedxlutil-ma.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe mfedxlutil32.exe no specs conhost.exe no specs cleanup.exe no specs securiteinfo.com.bscope.trojan.wacatac.4653.13746.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
936\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetasklist.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964 -writenotifyregistrykeyC:\Program Files\McAfee\Agent\maconfig.exemsiexec.exe
User:
SYSTEM
Company:
Musarubra US LLC.
Integrity Level:
SYSTEM
Description:
Trellix Agent Configurator
Exit code:
0
Version:
5.8.2.929
1020C:\Windows\System32\MsiExec.exe -Embedding 5B4245271B2D55EEC3BB44C33250B6DEC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
1048 /FO CSV /NH C:\Windows\SysWOW64\tasklist.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1236 /FO CSV /NH C:\Windows\SysWOW64\tasklist.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1452 /FI "IMAGENAME eq UpdaterUI.exe" /FO CSV /NHC:\Windows\SysWOW64\tasklist.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1860C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1948 /FO CSV /NH C:\Windows\SysWOW64\tasklist.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2088 /FO CSV /NH C:\Windows\SysWOW64\tasklist.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
24 792
Read events
24 083
Write events
691
Delete events
18

Modification events

(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D69B561148F01C77C54578C10926DF5B856976AD
Value:
(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0281400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC0B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D002000520033000000090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA9532000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:(6492) SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B530000000100000040000000303E301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD0F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000001400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0282000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:(6676) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000DC6083568EEDDA01141A0000341A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6676) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000DC6083568EEDDA01141A0000341A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6676) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000087C0E2568EEDDA01141A0000341A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6676) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000087C0E2568EEDDA01141A0000341A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
346
Suspicious files
272
Text files
188
Unknown types
34

Dropped files

PID
Process
Filename
Type
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\__temp.zip
MD5:
SHA256:
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\Shared.cab
MD5:
SHA256:
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\MFEagent.msiexecutable
MD5:C749451319627D6DF621130180A051A2
SHA256:06D55C5EFA2745D073A0BD39342B057C171859BA5D7184A7308EA103CD299868
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\contrib.initext
MD5:3D0B1D1A9042955616039B6B0A8EEAB8
SHA256:51A189B5E527B827363E96C962ACBEDECED154DED3A23D70D1A9A558F9C7EF9B
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\RepoKeys.iniini
MD5:AE35CC8571C6C77F8A3DA2DD8426766C
SHA256:AD09BB1B0DA372D0B233C9E5F31BAC9A9F1A9B2167FEA13BC8D7314F2EB896FA
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\req2048seckey.binbinary
MD5:5191848515739AA65CDD97E3D2E283C8
SHA256:8BA9397BDE9834209CE78BFBDED75C05B98924D1D16DE882A7E26C91EE2A2EAE
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\Svc_x86.cabcompressed
MD5:BCEE6CBFF199530FA89A044A8ED8392C
SHA256:BEDA7B978AEA604E3FCBD7046D0841A9FDC704486BCFBDDCAB1B34BC5F16040C
6676msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\Svc_x64.cabcompressed
MD5:6692F128C7E88CFC544FEC03C1D58D1B
SHA256:01AA2B28C634912AA576139EFC57D25A7C2CF262DF7ADAFDC8F2DDCD397DC7DA
6492SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exeC:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\SiteList.xmltext
MD5:A11F9240428C28BEFD7D1D07BC1695FB
SHA256:671E06FE557478927443F54E4537BE1B27636A211764A66577D1C41792CEE2F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
52
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4844
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7124
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6676
msiexec.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
6676
msiexec.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
whitelisted
6236
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6676
msiexec.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
6676
msiexec.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDFzND7mMLNAClZYo2Q%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
5116
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2272
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5116
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
2.16.110.176:443
www.bing.com
Akamai International B.V.
DE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4844
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 2.16.110.176
  • 2.16.110.171
  • 2.16.110.195
  • 2.16.110.123
  • 2.16.110.168
  • 2.16.110.121
  • 2.16.110.193
  • 2.16.110.136
  • 2.16.110.170
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.71
whitelisted
th.bing.com
  • 2.16.110.168
  • 2.16.110.171
  • 2.16.110.195
  • 2.16.110.136
  • 2.16.110.176
  • 2.16.110.170
  • 2.16.110.123
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted

Threats

No threats detected
Process
Message
FrmInst.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
FrmInst.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\FrmInst.exe loading C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\mfevtpa.dll, WinVerifyTrust failed with 80092003
FrmInst.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
FrmInst.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\FrmInst.exe loading C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\mfeaaca.dll, WinVerifyTrust failed with 80092003
FrmInst.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
FrmInst.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\FrmInst.exe loading C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\mfeaaca.dll, WinVerifyTrust failed with 80092003
FrmInst.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
FrmInst.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\FrmInst.exe loading C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\mfeaaca.dll, WinVerifyTrust failed with 80092003
FrmInst.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
FrmInst.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\FrmInst.exe loading C:\Users\admin\AppData\Local\Temp\mfeC16EAEF3-ECB8-4313-99C8-35BB2CDF60D5.tmp\mfeaaca.dll, WinVerifyTrust failed with 80092003
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746