โ
Case #565
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 95% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\mpextms.exe
HASH:
c7b8517e59acf4d0fd72070c63d80aabff3e0f198eb66bfb06b4220e19223f55
PROCESS_ID:
17988
IOCs:
c7b8517e59acf4d0fd72070c63d80aabff3e0f198eb66bfb06b4220e19223f55
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\mpextms.exe
MITRE:
T1036
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\mpextms.exe",
"HASH": "c7b8517e59acf4d0fd72070c63d80aabff3e0f198eb66bfb06b4220e19223f55",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "d47eb907-5575-4ffa-919f-a60bd10b49e0",
"event_time": 1774468115845,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 5864,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "3a183707a0f991ae580862a969c43c18"
}
},
"detect_id": "4d17014e-012c-4a87-975b-a06769c43c19",
"gen_time": 1774468121709,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468115\u0026selected=3a183707a0f991ae580862a969c43c18",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "d47eb907-5575-4ffa-919f-a60bd10b49e0",
"event_time": 1774468115845,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 5864,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "3a183707a0f991ae580862a969c43c18"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468121000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system binary staged in a temporary directory during an update or maintenance cycle.",
"investigation_questions": [
"Was this process spawned by a known update service like services.exe or TiWorker.exe?",
"Are there any other files in the same temporary directory that appear suspicious?"
],
"ioc_analysis": "The filename \u0027mpextms.exe\u0027 and the provided SHA-256 hash are verified as a clean Microsoft-signed binary (Microsoft Defender Browser Extension Native Message Host). The location is atypical for permanent execution but normal for staging during updates.",
"iocs_extracted": [
"c7b8517e59acf4d0fd72070c63d80aabff3e0f198eb66bfb06b4220e19223f55",
"C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\mpextms.exe"
],
"mitre_techniques": [
"T1036"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close as False Positive",
"Add the specific hash to a global whitelist if the rule continues to trigger on legitimate updates",
"Monitor for any subsequent suspicious activity from this process, though none is currently indicated"
],
"risk_score": 8,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detected file \u0027mpextms.exe\u0027 with hash \u0027c7b8517e59acf4d0fd72070c63d80aabff3e0f198eb66bfb06b4220e19223f55\u0027 is a legitimate Microsoft Defender Browser Extension component. The execution from a temporary directory in C:\\Windows\\Temp\\ is common during automated updates or system maintenance tasks.\n\n**IOC Analysis:** The filename \u0027mpextms.exe\u0027 and the provided SHA-256 hash are verified as a clean Microsoft-signed binary (Microsoft Defender Browser Extension Native Message Host). The location is atypical for permanent execution but normal for staging during updates.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive caused by Microsoft Windows Update processes running in the Temp directory. The process tree shows legitimate system binaries like svchost.exe and wuauclt.exe associated with this activity.\n\n**IOC Analysis:** mpextms.exe is a known Microsoft Windows Update helper process that runs from C:\\Windows\\Temp\\ during updates. The presence of MpSigStub.exe (Microsoft Signature Stub) running under SYSTEM confirms this is part of the Windows Update infrastructure, not malware.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event is likely a false positive, as mpextms.exe is associated with legitimate system processes like MpSigStub.exe, and no malicious activity was detected in the investigation.\n\n**IOC Analysis:** mpextms.exe is located in C:\\Windows\\Temp, which is common for temporary files and can be legitimate. The hash is not provided for validation, but the process spawned MpSigStub.exe, a benign system process for signature checking. Historical feedback and investigation results confirm no malicious intent.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b +RAG: false_positive (low, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (informational, 95% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-25T22:51
๐ค FusionSOC AI
2026-03-25T22:51
๐ค FusionSOC AI
2026-03-25T22:51
๐ค FusionSOC AI
2026-03-25T22:51
๐ค FusionSOC AI
2026-03-25T22:04
๐ค FusionSOC AI
2026-03-25T22:04
๐ค FusionSOC AI
2026-03-25T22:04
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:51:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 95% c...
2026-03-25T22:51:32
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:51:32
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-25T22:51:32
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for any subsequent suspicious activity from this process, though non...
2026-03-25T22:51:30
FusionSOC
Response action queued: recommended on Monitor for any subsequent suspicious activity from this process, though none is currently indicated
2026-03-25T22:51:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:51:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:51:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Add the specific hash to a global whitelist if the rule continues to trigger on ...
2026-03-25T22:51:30
FusionSOC
Response action queued: recommended on Add the specific hash to a global whitelist if the rule continues to trigger on legitimate updates
2026-03-25T22:51:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:51:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:51:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close as False Positive **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2...
2026-03-25T22:51:29
FusionSOC
Response action queued: recommended on Close as False Positive
2026-03-25T22:51:29
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:51:29
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:04:38
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:04:19
FusionSOC AI
Status changed: open โ investigating
2026-03-25T22:04:19
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:04:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:04:18
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:04:18
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:04:18
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:04:18
FusionSOC AI
Detection 4d17014e-012c-4a87-975b-a06769c43c19 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T22:04:18
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB