Interesting,
I was digging in the submit DB and found these samples by name of parent process and the location on a customer machine:
04433D326B4E14A380CDC8BFA27394D178744A19061EF31817823BE8E918D90C
26DADB77345E830258BC20BE11A1437B8451E6D670BD4C2F091A0DD0B0A65CFE
2824B5D61B41CB040A3BF1C8CFB4D17F47AECF4D0BD24A38BCAFCF669D7CC811
4355DDA03F4C8B9A913502FE232BA6BD161D3E7838840B87982A0158F2AD2E49
5B32673833D34D689EBB8422B07D0086987FDFD65C4AA1F96F6447944B7FD61F
666B63E9C252D49C63D0A3002514E14BA5C2BC659CFDF203CB6B4DD87C9B981A
8269C75C2107AA354525C75BFBFF2D0DA5D143F7485EB1C614A9CA4F751E1C42
8F5FA05821818207558ABC8631B5BC267CE176D6A58930EA07E822917F32E76C
915DE05DA7BC6C74AB149120BE2525D917885EA82F0402D4AB932E47A87B0B7B
ABDA5CD8818924E08F21BB6A6638C7D3C78ECB99B0D64FF5B8EED1A998D16B3A
B85C02E7EBEFD8F50349F977F4CD139A5AC830A36BB610E2BF557646D4C42FCE
C1646F9BFF2F50E0CE10043DD6FEFC3AC16C716D6110B6C77DC1B0BB703D1E34
CA5B5879910941ECFF0E1F311B54DDD37F1A7D954F74B106A45D7F5DEE732F7A
CA993685813010F0405136C5392FFE7DDDA774F9905F46315FED1D4E73C02C89
CB36DCA652DB6027C7FAEE4F8A3A40D89FE47334957057260512D7F4FBC69025
CC3AA9C7B6C133431E2289C3F5B8463DA775AF0B2F760A2F9F35936554DF69FE
F4B33C8EB06FFAC0591303FB56FDB02E720FDD5974AC35272602A1F58D42F6D4
There was about 5 detections on them. I disable them and whitelisted samples, but this is not the generic solution.
Adam