โ
Case #562
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 63% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\x86\MpCopyAccelerator.exe
HASH:
3d36f3cc2ec5b95a4786e9ecee992dc9f409e3ee72fe7e138bc548fdfca01e80
PROCESS_ID:
17988
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\x86\\MpCopyAccelerator.exe",
"HASH": "3d36f3cc2ec5b95a4786e9ecee992dc9f409e3ee72fe7e138bc548fdfca01e80",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "791c9c82-0703-4b0d-b9d6-ba6b88cdb50c",
"event_time": 1774468116282,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6857,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "864200438c0680d84df7bc8569c43c1a"
}
},
"detect_id": "35f1fb73-2e36-4878-8bc8-4f0369c43c1b",
"gen_time": 1774468123140,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468116\u0026selected=864200438c0680d84df7bc8569c43c1a",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "791c9c82-0703-4b0d-b9d6-ba6b88cdb50c",
"event_time": 1774468116282,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6857,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "864200438c0680d84df7bc8569c43c1a"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468123000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.633,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 23,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nMpCopyAccelerator.exe is a legitimate Microsoft Defender component used for platform updates and engine maintenance. The process was spawned by MpSigStub.exe running under SYSTEM privileges, consistent with normal Windows update behavior.\n\n**IOC Analysis:** The detected executable is a known Microsoft-signed binary (MpCopyAccelerator.exe) located in the standard Temp directory during installation or updates. Its hash matches known legitimate Defender components, and it spawned only benign child processes like MpSigStub.exe without any suspicious network activity or file modifications.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event is a false positive as MpCopyAccelerator.exe is a legitimate Microsoft Defender component used during system updates, and the investigation confirmed no malicious activity.\n\n**IOC Analysis:** FILE_PATH is in a temporary directory, which is atypical but context shows it\u0027s part of Microsoft Defender updates. HASH matches a known Microsoft-signed binary. The process tree indicates benign activity with MpSigStub.exe, another Defender component.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (informational, 95% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "gemini-cli",
"verdict": "true_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (8)
๐ค FusionSOC AI
2026-03-25T23:01
๐ค FusionSOC AI
2026-03-25T23:01
๐ค FusionSOC AI
2026-03-25T21:58
๐ค FusionSOC AI
2026-03-25T21:58
๐ค FusionSOC AI
2026-03-25T21:47
๐ค FusionSOC AI
2026-03-25T21:47
๐ค FusionSOC AI
2026-03-25T21:47
๐ค FusionSOC AI
2026-03-25T21:47
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T23:01:34
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T23:01:15
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T23:01:15
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T23:01:15
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T23:01:14
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T23:01:14
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T23:01:14
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:58:56
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T21:58:37
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T21:58:37
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:58:37
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T21:58:37
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T21:58:37
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:58:36
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:47:26
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 100% ...
2026-03-25T21:47:10
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T21:47:10
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-25T21:47:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Consider tuning the rule 'general.NEW FILE WRITE BYTES SAMPLE GRAB' to excl...
2026-03-25T21:47:08
FusionSOC
Response action queued: recommended on Consider tuning the rule 'general.NEW FILE WRITE BYTES SAMPLE GRAB' to exclude known Microsoft-signed binaries like MpCopyAccelerator.exe.
2026-03-25T21:47:08
FusionSOC AI
Status changed: open โ investigating
2026-03-25T21:47:08
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-25T21:47:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** No action required; this is a benign system process. **Sensor:** `ed8f7c3f-3...
2026-03-25T21:47:06
FusionSOC
Response action queued: recommended on No action required; this is a benign system process.
2026-03-25T21:47:06
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:47:06
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:47:05
FusionSOC AI
Detection 35f1fb73-2e36-4878-8bc8-4f0369c43c1b triaged as false_positive (low severity, confidence: 100%)
2026-03-25T21:47:05
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB