Trojan:Win32/Wacatac.H!ml is a Microsoft Defender machine-learning alert that should stay quarantined until you verify the affected file path, source, and signature. If the file came from a crack, repack, fake update, email attachment, unknown archive, or a download portal, treat it as malware and remove the source package. If it belongs to a trusted signed app, verify the publisher, hash, official download source, and false-positive reports before restoring anything.
What should you do with Trojan:Win32/Wacatac.H!ml?
- Do not restore or allow it first. Keep Defender’s quarantine/removal action while you investigate.
- Copy the affected item path. The same detection on
%USERPROFILE%\Downloads,%TEMP%, a browser cache, or an official signed installer means different things. - Delete the original source if it is a crack, repack, trainer, unknown executable, archive, script, email attachment, or fake update.
- Verify only trusted files. Check the digital signature, hash, vendor page, and whether the same release is being reported as a false positive.
- Scan for persistence if the file ran or if the alert returns after reboot.
Start with a full Gridinsoft Anti-Malware scan.
If Windows Defender is already showing this alert, the blocked file may be only one part of the infection chain. Check the whole PC for hidden copies, startup entries, scheduled tasks, browser changes, and bundled components before you restore, exclude, or rerun anything.
| Detection | Trojan:Win32/Wacatac.H!ml |
| Related searches | Trojan:Script/Wacatac.H!ml, Wacatac.H!ml false positive, Wacatac removal |
| Likely intent | Decide whether to restore a file, submit a false positive, or remove malware |
| Best first action | Quarantine, check path/source/signature, remove unknown source packages, scan fully if executed |
What is Trojan:Win32/Wacatac.H!ml?
Wacatac is a Microsoft Defender detection family often associated with loaders, downloaders, stealers, and suspicious packed executables. The H!ml suffix points to a machine-learning or heuristic-style detection, so Defender may have limited public details for a specific sample. That makes the affected path and source more important than the family name alone.
This page is for the exact Trojan:Win32/Wacatac.H!ml alert. If your alert only says Trojan:Win32/Wacatac, use the broader family guide. If it says Trojan:Script/Wacatac.B!ml, handle it as a script/archive/browser-cache case. For unfamiliar Defender name parts, the Microsoft Defender detection names guide explains platform, family, suffix, and action status.
Check the affected path and source before restoring
Open Windows Security → Virus & threat protection → Protection history, open the Wacatac.H!ml entry, and copy the affected item path. Do this before clearing history, deleting browser cache, or reinstalling the app, because the path is the best clue for what happened.
| Where Defender found it | What it usually means |
%USERPROFILE%\Downloads, %TEMP%, archive extraction folder, crack, keygen, trainer, repack, or fake installer |
High-risk source. Keep quarantine, delete the original package, and scan the PC. Do not restore to “test” the file. |
| Official installer or update from a known vendor, signed executable, or developer-built tool | Possible false positive. Verify the signature, hash, vendor page, and release channel before restoring. Submit the file to Microsoft/vendor if the evidence is clean. |
| Startup folder, Task Scheduler path, AppData, browser profile, or a file that returns after reboot | Treat it as active persistence. Scan fully and review startup entries, scheduled tasks, browser extensions, and Defender exclusions. |
Could Wacatac.H!ml be a false positive?
Yes, but the evidence has to be stronger than “I wanted the file.” False positives are more plausible for newly built software, uncommon developer tools, emulators, scripts, or installers downloaded from the official project/vendor source. Before restoring, confirm the publisher signature, hash, and release source, then submit the file for review if needed. If the file came from a torrent, cracked game, mod menu, fake update page, random Discord link, or unknown archive, remove it instead.
Why does Google show Script/Wacatac.H!ml for this page?
Some users search Trojan:Script/Wacatac.H!ml even when the local alert says Trojan:Win32/Wacatac.H!ml, and Google may mix both because the family and suffix look similar. Use the platform part as a clue: Win32 usually points to an executable, installer, DLL, or packed binary; Script usually points to JavaScript, HTML, VBS, PowerShell, browser cache, or an archive-contained script. The cleanup decision is similar, but the source check changes.
How to remove Trojan:Win32/Wacatac.H!ml safely
- Leave the Defender action as Quarantine or Remove. Do not allow or restore the file first.
- Copy the affected item path from Protection History.
- Delete the original installer, archive, extracted folder, crack, script, or email attachment that delivered the file.
- Uninstall suspicious apps installed around the same time.
- Update Microsoft Defender security intelligence, reboot, and run a full scan.
- Check Startup Apps, Task Scheduler, browser extensions, and Defender exclusions for entries created around the same time.
- If the file ran, change important passwords from a clean device and sign out unknown browser, email, Microsoft, gaming, and wallet sessions.
Run a full Gridinsoft Anti-Malware scan before restoring a file or if the Wacatac.H!ml alert returns. Defender may quarantine the visible item while a loader, scheduled task, startup entry, bundled component, browser change, or Defender exclusion remains and recreates the warning.
Why Wacatac.H!ml keeps coming back
A repeated alert usually means the source package is still present, another component is recreating the file, or Defender keeps scanning an extracted/cache copy. Remove the original archive or installer, empty the download/browser cache after recording the path, and check startup locations. If the path changes after each reboot, treat it as persistence rather than a harmless history entry.
FAQ
Should I allow Trojan:Win32/Wacatac.H!ml?
No, not on a normal PC. Allow only in an isolated lab or after Microsoft/vendor confirms the specific file is a false positive.
Is Wacatac.H!ml always malware?
No detection name is perfect, especially machine-learning detections, but unknown downloads, cracks, repacks, fake updates, and unsigned archives should be treated as unsafe.
What if Defender says Trojan:Script/Wacatac.H!ml?
Use the same quarantine-first logic, but inspect browser cache, archive contents, scripts, and web-delivered files. Script detections often need source cleanup rather than only deleting one executable.
Do I need to reinstall Windows?
Usually no if Defender blocked the file before execution. Consider deeper recovery if the file ran, the alert returns after reboot, Defender says remediation incomplete, or suspicious startup/network behavior remains.
References
- Microsoft Security Intelligence. “Trojan:Win32/Wacatac.H!ml threat description.” Microsoft, accessed June 14, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.H%21ml
- Microsoft Security Intelligence. “Submit files for malware analysis.” Microsoft, accessed June 14, 2026. https://www.microsoft.com/en-us/wdsi/filesubmission
- Microsoft Support. “Virus & threat protection in the Windows Security app.” Microsoft, accessed June 14, 2026. https://support.microsoft.com/en-us/windows/virus-and-threat-protection-in-the-windows-security-app-1362f4cd-d71a-b52a-0b66-c2820032b65e
