โ
Case #4472
general.fusionsoc-t1547-boot-logon-autostart-execution
๐ท๏ธ Analyst Verdict Classification
๐ค AI Analysis
๐ Detections (1)
fusionsoc-t1547-boot-logon-autostart-execution
high
Rule: general.fusionsoc-t1547-boot-logon-autostart-execution
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 57% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
140695559340032
COMMAND_LINE:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --subproc-heap-profiling --startup-read-main-dll --metrics-shmem-handle=2920,i,9234379949842328063,2292821228280445127,524288 --field-trial-handle=2408,i,16348482333960350465,3233780439182764465,262144 --variations-seed-version --pseudonymization-salt-handle=2468,i,17580291602857589740,11825078043091548828,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2916 /prefetch:13
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
HASH:
47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b
MEMORY_USAGE:
21561344
PARENT:
{'BASE_ADDRESS': 140695559340032, 'COMMAND_LINE': '"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', 'HASH': '47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b', 'MEMORY_USAGE': 8765440, 'PARENT_ATOM': '0ea1c8346e08ee58829862166a0eb4e7', 'PARENT_PROCESS_ID': 13512, 'PROCESS_ID': 68852, 'THIS_ATOM': '562a1648406fec4d386653956a0eed28', 'THREADS': 4, 'TIMESTAMP': 1779363111785, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
68852
PROCESS_ID:
47152
THREADS:
9
USER_NAME:
DESKTOP-ATSEPSK\Joy Howell
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "turbo-threads-api",
"cat": "fusionsoc-t1547-boot-logon-autostart-execution",
"detect": {
"event": {
"BASE_ADDRESS": 140695559340032,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --subproc-heap-profiling --startup-read-main-dll --metrics-shmem-handle=2920,i,9234379949842328063,2292821228280445127,524288 --field-trial-handle=2408,i,16348482333960350465,3233780439182764465,262144 --variations-seed-version --pseudonymization-salt-handle=2468,i,17580291602857589740,11825078043091548828,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2916 /prefetch:13",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b",
"MEMORY_USAGE": 21561344,
"PARENT": {
"BASE_ADDRESS": 140695559340032,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --flag-switches-begin --flag-switches-end --no-startup-window",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "47455576c6fb157a3a4ddd4ffa3a35d286cb2346d131d08bcaef873b15f5707b",
"MEMORY_USAGE": 8765440,
"PARENT_ATOM": "0ea1c8346e08ee58829862166a0eb4e7",
"PARENT_PROCESS_ID": 13512,
"PROCESS_ID": 68852,
"THIS_ATOM": "562a1648406fec4d386653956a0eed28",
"THREADS": 4,
"TIMESTAMP": 1779363111785,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 68852,
"PROCESS_ID": 47152,
"THREADS": 9,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "05261f6e-aee5-4b5f-831f-27450c4c41b7",
"event_time": 1779363112288,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1390,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "562a1648406fec4d386653956a0eed28",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "7445916d732f438558f877c26a0eed29"
}
},
"detect_id": "acbab16e-49bd-4d01-9a61-cff26a0eed29",
"gen_time": 1779363113686,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1779363112\u0026selected=7445916d732f438558f877c26a0eed29",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "05261f6e-aee5-4b5f-831f-27450c4c41b7",
"event_time": 1779363112288,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1390,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "562a1648406fec4d386653956a0eed28",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "7445916d732f438558f877c26a0eed29"
},
"rule_tags": [
"attack.t1547",
"attack.persistence"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.fusionsoc-t1547-boot-logon-autostart-execution",
"ts": 1779363113000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.567,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 37,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe detected process is Microsoft Edge (msedge.exe) running from its expected location, which is common and benign.\n\n**IOC Analysis:** The file path, command line, and hash all match legitimate Microsoft Edge binaries, indicating no malicious activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:16b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves msedge.exe, which is a legitimate Microsoft Edge process. The file is signed, and the path is within the Program Files directory, indicating it\u0027s a trusted application. The command line arguments are typical for background services, and the parent process is also msedge.exe, which is expected behavior for legitimate Edge operations. Historical data shows similar events being marked as false positives, supporting the conclusion that this is not malicious.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\, which is a known legitimate location for Microsoft Edge. The FILE_IS_SIGNED field is 1, indicating the binary is signed by Microsoft. The process is spawned from a parent msedge.exe process, which is normal for legitimate Edge operations. The command line arguments are typical for background services and do not indicate malicious activity.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"qwen3.5:35b: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (low, 80% confidence)",
"deepseek-r1:16b +RAG: false_positive (medium, 90% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "qwen3.5:35b",
"verdict": "true_positive"
},
{
"confidence": 0.8,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"had_rag": true,
"model": "deepseek-r1:16b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (3)
๐ค FusionSOC AI
2026-05-21T11:37
๐ค FusionSOC AI
2026-05-21T11:37
๐ค FusionSOC AI
2026-05-21T11:37
๐ Timeline
2026-05-21T11:37:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - qwen3.5:35b: true_positive (medium, 0% ...
2026-05-21T11:37:03
FusionSOC AI
Status changed: open โ investigating
2026-05-21T11:37:03
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-05-21T11:37:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `8f3a47be-5629-4c...` **Time Window:** +/- 2 ...
2026-05-21T11:37:02
FusionSOC
Response action queued: recommended on Manual review required
2026-05-21T11:37:02
FusionSOC
Action tag โ executed: Tag applied
2026-05-21T11:37:02
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-05-21T11:37:02
FusionSOC AI
Detection acbab16e-49bd-4d01-9a61-cff26a0eed29 triaged as true_positive (medium severity, confidence: 0%)
2026-05-21T11:37:02
FusionSOC AI
Case created from detection: general.fusionsoc-t1547-boot-logon-autostart-execution