โ
Case #368
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 95% ยท Verdict: suspicious
Event Data:
FILE_PATH:
C:\Windows\Temp\{7F39EE9E-D03D-4C93-A8AB-AE02BB6A0703}\.cr\vc_redist.x64.exe
HASH:
568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd
PROCESS_ID:
7852
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\Temp\\{7F39EE9E-D03D-4C93-A8AB-AE02BB6A0703}\\vc_redist.x64.exe'}
{'type': 'hash', 'value': '568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\{7F39EE9E-D03D-4C93-A8AB-AE02BB6A0703}\\.cr\\vc_redist.x64.exe",
"HASH": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd",
"PROCESS_ID": 7852
},
"routing": {
"arch": 2,
"did": "",
"event_id": "aefb51fe-e146-4d74-94a8-72c94442d511",
"event_time": 1773605350367,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1351,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "206f993ed2df4ffef6ba071a69b711e0",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "8b2776f1ed4c0f8b1078ce2469b711e7"
}
},
"detect_id": "55dfea56-2cbc-43b0-b31c-19da69b711e7",
"gen_time": 1773605351737,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1773605350\u0026selected=8b2776f1ed4c0f8b1078ce2469b711e7",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "aefb51fe-e146-4d74-94a8-72c94442d511",
"event_time": 1773605350367,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 1351,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "206f993ed2df4ffef6ba071a69b711e0",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "8b2776f1ed4c0f8b1078ce2469b711e7"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1773605351000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 1,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Microsoft Visual C++ Redistributable is a legitimate software component. The detection rule appears to be overly broad in flagging new file writes for common system-installed components.",
"investigation_questions": [
"Is there a known application that requires Visual C++ runtime libraries?",
"Has this installer been downloaded or installed recently on the host?"
],
"ioc_analysis": "The file vc_redist.x64.exe is a well-known Microsoft component used to install runtime libraries for Visual C++. The extension .cr indicates it is a compressed archive, typical for redistributable packages. This process is not running from System32 but rather in Temp, which is expected behavior for downloaded installers.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\Temp\\{7F39EE9E-D03D-4C93-A8AB-AE02BB6A0703}\\vc_redist.x64.exe"
},
{
"type": "hash",
"value": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models disagree or one model failed",
"Allow the process to complete its installation",
"Monitor for subsequent execution of extracted files from this archive",
"Verify file signature if available"
],
"risk_score": 10,
"severity": "high",
"summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a Gemini Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 Qwen Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a Microsoft Visual C++ Redistributable installer in the Windows Temp directory, which is a common legitimate activity for software installation and updates.\n\n**IOC Analysis:** The file vc_redist.x64.exe is a well-known Microsoft component used to install runtime libraries for Visual C++. The extension .cr indicates it is a compressed archive, typical for redistributable packages. This process is not running from System32 but rather in Temp, which is expected behavior for downloaded installers.",
"verdict": "suspicious",
"voting": {
"auto_action": "manual_review",
"mode": "split",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)"
],
"votes": [],
"winning_count": 1,
"winning_verdict": "suspicious"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 45 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| recommended | executed | File Activity Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-15T20:16
๐ค FusionSOC AI
2026-03-15T20:16
๐ค FusionSOC AI
2026-03-15T20:16
๐ค FusionSOC AI
2026-03-15T20:16
๐ค FusionSOC AI
2026-03-15T20:16
๐ Timeline
2026-03-18T01:33:40
analyst
Status changed: triaging โ closed
2026-03-18T01:33:35
analyst
Analyst classified as False Positive (FP)
2026-03-15T20:16:40
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-15T20:16:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Verify file signature if available **Sensor:** `ed8f7c3f-3a1a-49...` **Time...
2026-03-15T20:16:39
FusionSOC
Response action queued: recommended on Verify file signature if available
2026-03-15T20:16:39
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-15T20:16:39
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Monitor for subsequent execution of extracted files from this archive **Sen...
2026-03-15T20:16:38
FusionSOC
Response action queued: recommended on Monitor for subsequent execution of extracted files from this archive
2026-03-15T20:16:38
FusionSOC
Action recommended โ executed: Process Tree Investigation: 45 events found
2026-03-15T20:16:38
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Allow the process to complete its installation **Sensor:** `ed8f7c3f-3a1a-49...
2026-03-15T20:16:36
FusionSOC
Response action queued: recommended on Allow the process to complete its installation
2026-03-15T20:16:36
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-15T20:16:36
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models disagree or one model failed **Sensor...
2026-03-15T20:16:36
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models disagree or one model failed
2026-03-15T20:16:35
FusionSOC
Action tag โ executed: Tag applied
2026-03-15T20:16:35
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-15T20:16:34
FusionSOC AI
Detection 55dfea56-2cbc-43b0-b31c-19da69b711e7 triaged as suspicious (high severity, confidence: 95%)
2026-03-15T20:16:34
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB