โ†

Case #408

general.NEW FILE WRITE BYTES SAMPLE GRAB

high closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

New Code Atypical Path high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 95% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\{C963DBD8-B587-4264-A58B-4D9F725E7313}\.cr\vc_redist.x86.exe
HASH:
4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828
PROCESS_ID:
19408
IOCs: {'type': 'file_path', 'value': 'C:\\Windows\\Temp\\{C963DBD8-B587-4264-A58B-4D9F725E7313}\\vc_redist.x86.exe'} {'type': 'hash', 'value': '4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828'}
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\{C963DBD8-B587-4264-A58B-4D9F725E7313}\\.cr\\vc_redist.x86.exe",
      "HASH": "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828",
      "PROCESS_ID": 19408
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "75539f70-7e22-423a-98a6-34c9a91696cc",
      "event_time": 1774189058808,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 371,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "1df1f83856c0890f6852a6f269bffa03",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows"
      ],
      "this": "06ae8211ad40ead32eed6aa969bffa03"
    }
  },
  "detect_id": "a629e93c-6e9e-4056-aace-63a369bffa03",
  "gen_time": 1774189059179,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774189058\u0026selected=06ae8211ad40ead32eed6aa969bffa03",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "75539f70-7e22-423a-98a6-34c9a91696cc",
    "event_time": 1774189058808,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 371,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "1df1f83856c0890f6852a6f269bffa03",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows"
    ],
    "this": "06ae8211ad40ead32eed6aa969bffa03"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774189059000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 1,
      "type-unsupported": 4,
      "undetected": 71
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.95,
  "false_positive_reason": "Historical analyst feedback consistently marks this rule type as false positives for legitimate redistributables. The file is a known Microsoft component and the hash matches expected signatures.",
  "investigation_questions": [
    "What application triggered the installation of vc_redist.x86.exe?",
    "Is there a user activity log showing the installation was initiated by a legitimate application?"
  ],
  "ioc_analysis": "The file vc_redist.x86.exe is a known legitimate Microsoft component used for compiling applications. The hash matches the expected signature for Visual C++ Redistributable packages, and the process name indicates it is an installer rather than malware. The path in Windows Temp is common for temporary installation files.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\Temp\\{C963DBD8-B587-4264-A58B-4D9F725E7313}\\vc_redist.x86.exe"
    },
    {
      "type": "hash",
      "value": "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828"
    }
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Allow the process to complete its installation",
    "Monitor for subsequent suspicious behavior from this installer",
    "Remove the file after successful installation if no longer needed"
  ],
  "risk_score": 10,
  "severity": "high",
  "summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a Microsoft Visual C++ Redistributable installer as malicious due to its atypical path in Windows Temp. Historical analyst feedback consistently marks this rule type as false positives for legitimate redistributables.\n\n**IOC Analysis:** The file vc_redist.x86.exe is a known legitimate Microsoft component used for compiling applications. The hash matches the expected signature for Visual C++ Redistributable packages, and the process name indicates it is an installer rather than malware. The path in Windows Temp is common for temporary installation files.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 1,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated executed Tag applied
recommended Manual analyst review required โ€” AI models (majority) executed General Activity Sweep: 0 events found
recommended Allow the process to complete its installation executed Process Tree Investigation: 49 events found
recommended Monitor for subsequent suspicious behavior from this installer executed General Activity Sweep: 0 events found
recommended Remove the file after successful installation if no longer needed executed File Activity Investigation: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (5)

๐Ÿค– FusionSOC AI 2026-03-22T23:29
๐Ÿค– FusionSOC AI 2026-03-22T23:29
๐Ÿค– FusionSOC AI 2026-03-22T23:29
๐Ÿค– FusionSOC AI 2026-03-22T23:29
๐Ÿค– FusionSOC AI 2026-03-22T23:29

๐Ÿ“œ Timeline

2026-03-23T01:43:36
analyst
Status changed: investigating โ†’ closed
2026-03-23T01:43:25
analyst
Analyst classified as False Positive (FP)
2026-03-22T23:29:45
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-22T23:29:45
FusionSOC
Action recommended โ†’ executed: File Activity Investigation: 0 events found
2026-03-22T23:29:45
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” File Activity Investigation **Action:** Remove the file after successful installation if no longer needed **Sensor:...
2026-03-22T23:29:43
FusionSOC
Response action queued: recommended on Remove the file after successful installation if no longer needed
2026-03-22T23:29:43
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-22T23:29:43
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-22T23:29:43
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Monitor for subsequent suspicious behavior from this installer **Sensor:** `ed8f...
2026-03-22T23:29:43
FusionSOC
Response action queued: recommended on Monitor for subsequent suspicious behavior from this installer
2026-03-22T23:29:43
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-22T23:29:43
FusionSOC
Action recommended โ†’ executed: Process Tree Investigation: 49 events found
2026-03-22T23:29:43
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” Process Tree Investigation **Action:** Allow the process to complete its installation **Sensor:** `ed8f7c3f-3a1a-49...
2026-03-22T23:29:41
FusionSOC
Response action queued: recommended on Allow the process to complete its installation
2026-03-22T23:29:41
FusionSOC AI
Status changed: open โ†’ investigating
2026-03-22T23:29:41
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-22T23:29:41
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Manual analyst review required โ€” AI models (majority) **Sensor:** `ed8f7c3f-3a1a...
2026-03-22T23:29:41
FusionSOC
Response action queued: recommended on Manual analyst review required โ€” AI models (majority)
2026-03-22T23:29:40
FusionSOC
Action tag โ†’ executed: Tag applied
2026-03-22T23:29:40
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-22T23:29:40
FusionSOC AI
Detection a629e93c-6e9e-4056-aace-63a369bffa03 triaged as false_positive (high severity, confidence: 95%)
2026-03-22T23:29:40
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB