Need help with suspicious "Behavior:Win32/SuspCopy.B"

Hello rs8091 

thanks for your reply. I've seen the link and also on our dashboard but I don't see the possibility; we have activated the preview of Microsoft 365 Defender for Endpoint P1, I d.

I also see that the script that I copied on this forum, is not seen in the alert tree.

For what I see today, on my colleague C:\Users\[colleague_account]\AppData\Roaming there is a directory "obUwHjQXC" that has the following files as in the image:

I also see that every hour 30/60 minutes the svchost.temp is refreshed; also, I suppose that when Defender recognize the infection, the virus is blocked and so start the dialog in the image:

I tried to create again the directory and the file, even if empy because I don't know the contents of the .tmp file; after some time I checked and see that the file recreated remains empty and the dialog when the problem shows again is this:

Other thing that I noticed in past days, that the files 0_[something].log and 1_[something].log change every day: yesterday there si Teams, the day before Chrome.

This is what I see on the endpoint; instead, what I see on the alerts on the Defender dashboard is something like this in the picture (see that it seems that sometimes the virus uses the bitsdmin.exe to transfer data I don't know where):

The time is the same that I find on the pc. I also found many many entries in task scheduler: I now disactivated all the, I suppose, related to the threat, but I can't see nothing that can help me to understand what starts the virus

Hope this can help to understand better and help.

Thanks a lot.