Just an office drone in Canada. Posting here, and trust that the powers that be will put the item into the proper forum as the reply it is intended to be:
We had the same problem re Behavior:Win32/Powermet.B!attk these last couple of days. Showed up out of no where (though we had been experiencing a Mirai malware -- both things being caught by Windows Defender (we run Windows 10 Pro).
The Powermet behaviour was experienced as a quickly vanishing command.com window appearing about 2 seconds (on our system) after logging in to a user account. Followed by Windows Defender identifying and quarantining the threat.
With help of an article about options for automatically starting programs in Windows after login, we were able to trace the item to a registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]. With an entry pointing to a 123.bat file in the windows/system32/wbem folder in our case (your location is probably different). That registry location is the location for automatically starting programs, though one should also check in the Startup folder and also using msconfig.
Among other things, the bat file invokes a small-sized command console; invokes the cacsl command over certain dll files [having to do with security considerations]; makes the bat file itself a system file and hidden; and then invokes a regsvr32 process pointing to an outside server [to run a particular program there]. (I saw a post on a Microsoft forum this morning re Powermet, with a different website being used -- not surprisingly, perhaps.)
We deleted the registry key and the related bat file, which got rid of the command window behaviour and Windows Defender running on login.
Scanning the bat file itself with an antivirus program did not produce a warning.