โ†

Case #366

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed suspicious

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 95% ยท Verdict: suspicious
Event Data:
FILE_PATH:
C:\Windows\Temp\{6ACCF0EF-7DF9-48E0-A509-7E7C433204D3}\.cr\vc_redist.x86.exe
HASH:
4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828
PROCESS_ID:
12052
IOCs: {'type': 'file_path', 'value': 'C:\\Windows\\Temp\\{6ACCF0EF-7DF9-48E0-A509-7E7C433204D3}\\vc_redist.x86.exe'} {'type': 'hash', 'value': '4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828'}
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\{6ACCF0EF-7DF9-48E0-A509-7E7C433204D3}\\.cr\\vc_redist.x86.exe",
      "HASH": "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828",
      "PROCESS_ID": 12052
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "9dffa22a-c213-4374-821b-a5166bea297f",
      "event_time": 1773605377127,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 2064,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "888c1e6872b28dad1641b0ea69b71201",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows",
        "yara_detection_memory"
      ],
      "this": "3839f8074884c1dccc2da16469b71203"
    }
  },
  "detect_id": "631cbd8c-759f-4586-9e4b-275e69b71203",
  "gen_time": 1773605379191,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1773605377\u0026selected=3839f8074884c1dccc2da16469b71203",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "9dffa22a-c213-4374-821b-a5166bea297f",
    "event_time": 1773605377127,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 2064,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "888c1e6872b28dad1641b0ea69b71201",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows",
      "yara_detection_memory"
    ],
    "this": "3839f8074884c1dccc2da16469b71203"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1773605379000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 1,
      "type-unsupported": 4,
      "undetected": 71
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.95,
  "false_positive_reason": "vc_redist.x86.exe is a known Microsoft Visual C++ Redistributable installer that commonly installs to Windows\\Temp. The hash and process name match legitimate software, not malware indicators.",
  "investigation_questions": [
    "Is there a legitimate application requiring Visual C++ runtime on this host?",
    "Has this file been executed successfully before without issues?"
  ],
  "ioc_analysis": "The detected file vc_redist.x86.exe is a standard Visual C++ runtime installer commonly used by applications requiring .NET support. The path in Windows\\Temp is typical for temporary installers, and the process name matches known legitimate software. Historical analyst feedback consistently marks this as false positive.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\Temp\\{6ACCF0EF-7DF9-48E0-A509-7E7C433204D3}\\vc_redist.x86.exe"
    },
    {
      "type": "hash",
      "value": "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828"
    }
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models disagree or one model failed",
    "Allow the process to complete its installation",
    "Monitor for subsequent suspicious behavior from this installer",
    "Document as false positive in SIEM rules"
  ],
  "risk_score": 10,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a Gemini Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 Qwen Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive for a legitimate Windows Visual C++ Redistributable installer running from the Temp directory. The file extension and naming convention match known Microsoft-signed redistributables.\n\n**IOC Analysis:** The detected file vc_redist.x86.exe is a standard Visual C++ runtime installer commonly used by applications requiring .NET support. The path in Windows\\Temp is typical for temporary installers, and the process name matches known legitimate software. Historical analyst feedback consistently marks this as false positive.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)"
    ],
    "votes": [],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Manual analyst review required โ€” AI models disagree or one model failed executed General Activity Sweep: 0 events found
recommended Allow the process to complete its installation executed Process Tree Investigation: 48 events found
recommended Monitor for subsequent suspicious behavior from this installer executed General Activity Sweep: 0 events found
recommended Document as false positive in SIEM rules executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (5)

๐Ÿค– FusionSOC AI 2026-03-15T20:16
๐Ÿค– FusionSOC AI 2026-03-15T20:16
๐Ÿค– FusionSOC AI 2026-03-15T20:16
๐Ÿค– FusionSOC AI 2026-03-15T20:16
๐Ÿค– FusionSOC AI 2026-03-15T20:16

๐Ÿ“œ Timeline

2026-03-18T01:33:40
analyst
Status changed: triaging โ†’ closed
2026-03-18T01:33:35
analyst
Analyst classified as False Positive (FP)
2026-03-15T20:16:22
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-15T20:16:22
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Document as false positive in SIEM rules **Sensor:** `ed8f7c3f-3a1a-49...` **Tim...
2026-03-15T20:16:22
FusionSOC
Response action queued: recommended on Document as false positive in SIEM rules
2026-03-15T20:16:22
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-15T20:16:22
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Monitor for subsequent suspicious behavior from this installer **Sensor:** `ed8f...
2026-03-15T20:16:22
FusionSOC
Response action queued: recommended on Monitor for subsequent suspicious behavior from this installer
2026-03-15T20:16:22
FusionSOC
Action recommended โ†’ executed: Process Tree Investigation: 48 events found
2026-03-15T20:16:22
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” Process Tree Investigation **Action:** Allow the process to complete its installation **Sensor:** `ed8f7c3f-3a1a-49...
2026-03-15T20:16:21
FusionSOC
Response action queued: recommended on Allow the process to complete its installation
2026-03-15T20:16:21
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-15T20:16:20
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual analyst review required โ€” AI models disagree or one model failed **Sensor...
2026-03-15T20:16:20
FusionSOC
Response action queued: recommended on Manual analyst review required โ€” AI models disagree or one model failed
2026-03-15T20:16:20
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-15T20:16:20
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-15T20:16:19
FusionSOC AI
Detection 631cbd8c-759f-4586-9e4b-275e69b71203 triaged as suspicious (high severity, confidence: 95%)
2026-03-15T20:16:19
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB