Defender blocked a threat (elevated risk) - How do I find out which program?


rogerrabbit

Member
Member
Local time
5:34 PM
Posts
34
OS
Windows 11
Hi,

I received a notification this morning that Windows Defender blocked a threat (elevated risk) and quarantined it.

After following the link in the notification, the message shown in the attached screenshot was displayed.

How can I find out which program contained (or contains) the hack tool?

Task Manager is of no help because the indicated PID (2844) is no longer running.

Thanks in advance!

Capture.webp
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
Searching for thread name will help also see if Defender took action on thread like removed it.
 

My Computer My Computer

At a glance

Windows 11AMD Ryzen 7 5700GMicron Technology DDR4-3200 16GBNVIDIA GeForce RTX 3060
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP Pavilion
CPU
AMD Ryzen 7 5700G
Motherboard
Erica6
Memory
Micron Technology DDR4-3200 16GB
Graphics Card(s)
NVIDIA GeForce RTX 3060
Sound Card
Realtek ALC671
Monitor(s) Displays
Samsung SyncMaster U28E590
Screen Resolution
3840 x 2160
Hard Drives
SAMSUNG MZVLQ1T0HALB-000H1

My Computer My Computer

At a glance

Windows 11AMD Ryzen 7 5700GMicron Technology DDR4-3200 16GBNVIDIA GeForce RTX 3060
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP Pavilion
CPU
AMD Ryzen 7 5700G
Motherboard
Erica6
Memory
Micron Technology DDR4-3200 16GB
Graphics Card(s)
NVIDIA GeForce RTX 3060
Sound Card
Realtek ALC671
Monitor(s) Displays
Samsung SyncMaster U28E590
Screen Resolution
3840 x 2160
Hard Drives
SAMSUNG MZVLQ1T0HALB-000H1
Look at your browser history for that date and time.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Defender/Windows Security
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
How can I find out which program contained (or contains) the hack tool?
Try Event Viewer, filtered on "Event sources: Windows Defender", and check the logs around that time to see if it has more details.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Try Event Viewer, filtered on "Event sources: Windows Defender", and check the logs around that time to see if it has more details.

Thanks (to all of you) !
I suppose it came from the internet and not from a program installed.
I tried your idea @echo2446, but it says "log clear" just for the time of the event (08:31).

Never mind, I think the thread is deleted and I will see in the future whether some programm is not working (correctly) anymore !
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
Download Malware bytes free and do a full scan, just to be sure.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Defender/Windows Security
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
Mimikatz is an open-source credential extraction tool, probably one of the strongest. Generally comes packaged in executable's that are created for the purpose of bypassing software license requirements. Funny, it gives people something and takes way more lol
However not the only way to cop a sniff of it, I suppose.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Let us know if you find where it came from. There are of course (apparently) legitimate uses for it, so maybe in context of where it came from, it could be a false positive of sorts.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Download Malware bytes free and do a full scan, just to be sure.

Ok, I did it ! It didn't find anything.


@antspants
The only programs I downloaded yesterday were updates for Tutamail and Thunderbird. So I don't think that this was at the origin. Ok, I will report back if I find out something.

Thanks
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
How can I find out which program contained (or contains) the hack tool?

This batch script will list the original location & filename of all quarantined items.
It must be run as Admin.

:: Simplify the command line prompt for ease of comprehension during testing
prompt $g

Title List current quarantined items

:: search for the latest subfolder in %ProgramData%\Microsoft\Windows Defender\Platform
:: It processes all subfolders in sequence so that last one to be set is the latest one
set GetLatestVersionPath="dir "C:\ProgramData\Microsoft\Windows Defender\Platform" /ad /od /b"
FOR /F "tokens=*" %%i IN (' %GetLatestVersionPath% ') Do Set LatestVersionPath=%%i

"C:\ProgramData\Microsoft\Windows Defender\Platform\%LatestVersionPath%\MpCmdRun.exe" -restore -listall

Pause to review results

Note that, despite the inclusion of the word restore, this just lists items, it does not take any action.

Sample output:-
Read from the line The following items are quarantined
[I always display all the output to help me with any debugging that proves necessary.]
List script output - Cleaned.webp


Denis
 
Last edited:

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
It didn't find anything.
It wouldn't. The potentially-offending file has been put in quarantine by WD so, as far as MWB or any other programme is concerned, it does not exist.


Denis
 

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
This batch script will list the original location & filename of all quarantined items.
It must be run as Admin.

Denis

Thank you very much !


Unfortunately the output only shows two threats from 03/05/2026 at not the one of this morning 02/07/2026 at 08:31 (see attached).

Strange ! Why does Defender hide this information ?
Why does the event wiever see an event, but says: "log clear" at 08:31 (the time of the threat) ?


Capture.webp
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
ThreatName = Trojan:Win32/Cerdigent.A!dha
A malicious trojan, probably worse than Mimikatz.

Root certificates are extremely sensitive. If a trojan installs its own root certificate, it can make malicious HTTPS traffic appear “trusted” intercept encrypted communications, impersonate legitimate websites, bypass browser warnings, sign malicious files so they appear safe.
Defender quarantined 2 root certs.
I'll be honest, if it were my PC I'd be reinstalling. But then again, I'm paranoid.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
If defender grabbed them then you could be fine. But where did it all come from?
Apologies but I have to ask, have you run any cracks to use software for free?
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
but it says "log clear"

"log clear" at 08:31 (the time of the threat) ?
This definitely isn’t normal and could be bad, since Windows itself doesn’t do this for recent events (your previous events haven’t been cleared). The clearing may be work of malware.

You might want to post the details from that "clear-log" entry: double-click the entry, click the Details tab, then click Friendly View. Copy the info using the Copy button at the bottom, and paste it here (redact anything sensitive).

@rogerrabbit : At this point, I’d probably try another scanner. Maybe the ESET Online Scanner, or the Kaspersky Virus Removal Tool (if you’re not restricted).

A malicious trojan, probably worse than Mimikatz.
There was a bad Windows Defender update that briefly flagged legitimate root certificates at the end of April. Do you think the OP might have had that update?
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
There was a bad Windows Defender update that briefly flagged legitimate root certificates at the end of April. Do you think the OP might have had that update?

Could be, Echo. I was oblivious to it? But yeah maybe. At the least, scan it with everything known to man. Or a system image? We love and encourage those here, rogerrabbit
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Apologies but I have to ask, have you run any cracks to use software for free?

Thanks, I appreciate your directness. But the only program I have on my PC, which is neither paid, nor completely free, is an old giveaway version of VCF editor, directly downloaded from Vovsoft, which I haven't used since months however.

I don't really understand your last sentence and why you put a link to my profile.

---

@echo2446

The detail of the event log is not very informative and gives a SID which is mine and a not very helpfull link to: http://manifests.microsoft.com/win/2004/08/windows/eventlog, see below (hope I have redacted everything sensible)

"Nom du journal :Security​
Source : Microsoft-Windows-Eventlog​
Date : 02/07/2026 08:31:24​
ID de l’événement :1102​
Catégorie de la tâche :Log clear​
Niveau : Information​
Mots clés : Succès de l’audit​
Utilisateur : N/A​
Ordinateur : DELETED
Description :​
Le journal d’audit a été effacé.​
Objet :​
ID de sécurité : DELETED/DELETED
Nom de compte : DELETED
Nom de domaine : DELETED
ID de connexion : 0x52E4A​
XML de l’événement :​
<System>​
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />​
<EventID>1102</EventID>​
<Version>1</Version>​
<Level>4</Level>​
<Task>104</Task>​
<Opcode>0</Opcode>​
<Keywords>0x4020000000000000</Keywords>​
<TimeCreated SystemTime="2026-07-02T06:31:24.1934281Z" />​
<EventRecordID>1</EventRecordID>​
<Correlation />​
<Execution ProcessID="8712" ThreadID="10752" />​
<Channel>Security</Channel>​
<Computer>DELETED</Computer>​
<Security />​
</System>​
<UserData>​
<SubjectUserSid>S-1-5-21-3795828713-1622907658-1058423388-1000</SubjectUserSid>​
<SubjectUserName>DELETED</SubjectUserName>​
<SubjectDomainName>DELETED</SubjectDomainName>​
<SubjectLogonId>0x52e4a</SubjectLogonId>​
<ClientProcessId>9492</ClientProcessId>​
<ClientProcessStartKey>4503599627372207</ClientProcessStartKey>​
</LogFileCleared>​
</UserData>​
</Event>​

To both (also to @antspants)

Yes, I'll probably do a clean install (I am still hesitating a bit). I have a Windows image (the old Windows 7 imaging program) from June, 18 which has however been created after the events of May, 03 and a few even more recent Hasleo backups. So if there is really a problem they are not very helpful.

Thanks
 

My Computer My Computer

At a glance

Windows 11Intel Core i3 12 100 12th generationKingston DDR4-3200 16 GBytesIntel UHD 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Gigabyte H610M H V2 DDR4 (Rev. 1.0)
CPU
Intel Core i3 12 100 12th generation
Motherboard
American Megatrend F34
Memory
Kingston DDR4-3200 16 GBytes
Graphics Card(s)
Intel UHD 730
Why does the event wiever see an event, but says: "log clear" at 08:31 (the time of the threat) ?
Like the others, I find the "log clear" highly suspicious.

Event viewer does record detections & quarantines:-
Log name: Microsoft-Windows-Windows Defender/Operational
Source: Windows Defender
EventID: 1116,1117
e.g.
This is a 1117 record, the quarantine event. You can also see 1116, the detection event, 21 seconds earlier [its details pane does not show any additional info beyond that shown for 1117].
Event viewer, Quarantine event.webp

Just as an experiment, I just told WD [Protection history] to remove the 23/4/26 item shown above.
As expected, that item has now disappeared from the output of my quarantine list batch script.
But its Event viewer record remains.
So I conclude that something took the deliberate action of clearing your log and, if it was not you, then it was something else.
I would run a WD offline scan but I would not trust a negative result & wouldn't trust any of my existing disks in that case either.


Denis
 

My Computer My Computer

At a glance

Windows 11 Home x64 Version 25H2 Build 26200....
OS
Windows 11 Home x64 Version 25H2 Build 26200.8037
ID de l’événement :1102
<SubjectUserSid>S-1-5-21-3795828713-1622907658-1058423388-1000</SubjectUserSid>
<SubjectUserName>DELETED</SubjectUserName>
I think this means it shows YOU as the source for clearing the log entry, which probably implies malware running in your context. Even if Defender managed to quarantine the other binary, maybe something else cleared the entry—something that might not have been mitigated.

Ref: Decoding Windows event logs: A definitive guide for incident responders

As you already know, reinstalling Windows / rolling back the image is probably the best bet. An alternative is heading to those well-known malware removal forums, which seem to clear infections for most people, but not all.
 
Last edited:

My Computer My Computer

At a glance

Windows 11 Pro 25H2
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Back
Top Bottom