Defender blocked a threat (elevated risk) - How do I find out which program?


rogerrabbit

Member
Member
Local time
12:25 PM
Posts
32
OS
Windows 11
Hi,

I received a notification this morning that Windows Defender blocked a threat (elevated risk) and quarantined it.

After following the link in the notification, the message shown in the attached screenshot was displayed.

How can I find out which program contained (or contains) the hack tool?

Task Manager is of no help because the indicated PID (2844) is no longer running.

Thanks in advance!

Capture.webp
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
Searching for thread name will help also see if Defender took action on thread like removed it.
 

My Computer My Computer

At a glance

Windows 11AMD Ryzen 7 5700GMicron Technology DDR4-3200 16GBNVIDIA GeForce RTX 3060
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP Pavilion
CPU
AMD Ryzen 7 5700G
Motherboard
Erica6
Memory
Micron Technology DDR4-3200 16GB
Graphics Card(s)
NVIDIA GeForce RTX 3060
Sound Card
Realtek ALC671
Monitor(s) Displays
Samsung SyncMaster U28E590
Screen Resolution
3840 x 2160
Hard Drives
SAMSUNG MZVLQ1T0HALB-000H1

My Computer My Computer

At a glance

Windows 11AMD Ryzen 7 5700GMicron Technology DDR4-3200 16GBNVIDIA GeForce RTX 3060
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP Pavilion
CPU
AMD Ryzen 7 5700G
Motherboard
Erica6
Memory
Micron Technology DDR4-3200 16GB
Graphics Card(s)
NVIDIA GeForce RTX 3060
Sound Card
Realtek ALC671
Monitor(s) Displays
Samsung SyncMaster U28E590
Screen Resolution
3840 x 2160
Hard Drives
SAMSUNG MZVLQ1T0HALB-000H1
Look at your browser history for that date and time.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Defender/Windows Security
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
How can I find out which program contained (or contains) the hack tool?
Try Event Viewer, filtered on "Event sources: Windows Defender", and check the logs around that time to see if it has more details.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Try Event Viewer, filtered on "Event sources: Windows Defender", and check the logs around that time to see if it has more details.

Thanks (to all of you) !
I suppose it came from the internet and not from a program installed.
I tried your idea @echo2446, but it says "log clear" just for the time of the event (08:31).

Never mind, I think the thread is deleted and I will see in the future whether some programm is not working (correctly) anymore !
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
Download Malware bytes free and do a full scan, just to be sure.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Defender/Windows Security
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
Mimikatz is an open-source credential extraction tool, probably one of the strongest. Generally comes packaged in executable's that are created for the purpose of bypassing software license requirements. Funny, it gives people something and takes way more lol
However not the only way to cop a sniff of it, I suppose.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Let us know if you find where it came from. There are of course (apparently) legitimate uses for it, so maybe in context of where it came from, it could be a false positive of sorts.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Download Malware bytes free and do a full scan, just to be sure.

Ok, I did it ! It didn't find anything.


@antspants
The only programs I downloaded yesterday were updates for Tutamail and Thunderbird. So I don't think that this was at the origin. Ok, I will report back if I find out something.

Thanks
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
How can I find out which program contained (or contains) the hack tool?

This batch script will list the original location & filename of all quarantined items.
It must be run as Admin.

:: Simplify the command line prompt for ease of comprehension during testing
prompt $g

Title List current quarantined items

:: search for the latest subfolder in %ProgramData%\Microsoft\Windows Defender\Platform
:: It processes all subfolders in sequence so that last one to be set is the latest one
set GetLatestVersionPath="dir "C:\ProgramData\Microsoft\Windows Defender\Platform" /ad /od /b"
FOR /F "tokens=*" %%i IN (' %GetLatestVersionPath% ') Do Set LatestVersionPath=%%i

"C:\ProgramData\Microsoft\Windows Defender\Platform\%LatestVersionPath%\MpCmdRun.exe" -restore -listall

Pause to review results

Note that, despite the inclusion of the word restore, this just lists items, it does not take any action.

Sample output:-
Read from the line The following items are quarantined - I leave in all the output so it can help with any debugging that becomes necessary.
List script output - Cleaned.webp


Denis
 

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
It didn't find anything.
It wouldn't. The potentially-offending file has been put in quarantine by WD so, as far as MWB or any other programme is concerned, it does not exist.


Denis
 

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
Back
Top Bottom