Warning message... Link to action
Supply chain attacks explained Watch video
Severe |Detected with Windows Defender Antivirus
Aliases: No associated aliases
Windows Defender Antivirus detects and removes this threat.
This threat is a fileless malware attack which can perform a number of actions of a malicious hacker's choice on your PC.
You should:
Use the following free Microsoft software to detect and remove this threat:
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender Antivirus for Windows 10.
Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection and make sure that your Cloud-based Protection settings is turned On.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
This threat is a form of a fileless malware attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent.
We have observed this threat being distributed through EternalBlue exploit and Mimikatz.
This threat registers permanent events, to persist in your PC, relating instances with the following event filters named:
WMI Object values:
Connects to a remote host
We have seen this threat connect to a remote host, including the following IPs:
Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
This analysis was published using the following file SHA1: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952
The following can indicate that you have this threat on your PC:
