โ
Case #409
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 88% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\{B68467A3-8FC7-437C-AEF4-C476474575B2}\.be\VC_redist.x64.exe
HASH:
568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd
PROCESS_ID:
11024
IOCs:
{'type': 'file_path', 'value': 'C:\\Windows\\Temp\\{B68467A3-8FC7-437C-AEF4-C476474575B2}\\\\.be\\VC_redist.x64.exe'}
{'type': 'hash', 'value': '568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\{B68467A3-8FC7-437C-AEF4-C476474575B2}\\.be\\VC_redist.x64.exe",
"HASH": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd",
"PROCESS_ID": 11024
},
"routing": {
"arch": 2,
"did": "",
"event_id": "dc1781e5-37f9-49e5-aedb-176cb7f1e405",
"event_time": 1774189036907,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 680,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "a859939381922e1b660e480269bff9e7",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows"
],
"this": "33d4a80f4c3a9555783380a669bff9ed"
}
},
"detect_id": "2108649d-94e0-43b5-9f0f-5dd169bff9ed",
"gen_time": 1774189037587,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774189036\u0026selected=33d4a80f4c3a9555783380a669bff9ed",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "dc1781e5-37f9-49e5-aedb-176cb7f1e405",
"event_time": 1774189036907,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 680,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "a859939381922e1b660e480269bff9e7",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows"
],
"this": "33d4a80f4c3a9555783380a669bff9ed"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774189037000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 1,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.875,
"false_positive_reason": "Microsoft Visual C++ Redistributable installers commonly use .be\\VC_redist.x64.exe naming and run from Temp directories during installation. This is standard behavior for legitimate software deployment.",
"investigation_questions": [
"What application or service triggered this VC_redist installer?",
"Is there a known software update requiring Visual C++ redistributables on this host?",
"Has this specific hash been seen in legitimate installations before?"
],
"ioc_analysis": "The file .be\\VC_redist.x64.exe is a known Microsoft Visual C++ redistributable installer. While it resides in Temp (which can be suspicious), the naming convention and lack of malicious indicators suggest it is legitimate system software being installed by an application or update process.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Windows\\Temp\\{B68467A3-8FC7-437C-AEF4-C476474575B2}\\\\.be\\VC_redist.x64.exe"
},
{
"type": "hash",
"value": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Allow the process to complete its installation",
"Monitor for subsequent suspicious behavior from this file",
"Verify the parent process that initiated this installation"
],
"risk_score": 15,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because the file path indicates a legitimate Microsoft Visual C++ Redistributable installer running from a temporary directory, which is standard behavior for software installation.\n\n**IOC Analysis:** The file .be\\VC_redist.x64.exe is a known Microsoft Visual C++ redistributable installer. While it resides in Temp (which can be suspicious), the naming convention and lack of malicious indicators suggest it is legitimate system software being installed by an application or update process.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe detection is likely a false positive as the file appears to be a Visual C++ Redistributable installer, which is commonly legitimate, despite the atypical file path in the Temp directory. The hash should be verified for Microsoft signatures to confirm benignity.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Windows\\Temp, which can be atypical and potentially suspicious, but VC_redist.x64.exe is a legitimate Microsoft installer for Visual C++ components. The HASH should be checked against known Microsoft-signed binaries; if signed by Microsoft, it is likely benign. The absence of malicious indicators and historical FP feedback supports this.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 80% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-22T23:32
๐ค FusionSOC AI
2026-03-22T23:32
๐ค FusionSOC AI
2026-03-22T23:32
๐ค FusionSOC AI
2026-03-22T23:32
๐ค FusionSOC AI
2026-03-22T23:32
๐ Timeline
2026-03-23T01:43:36
analyst
Status changed: investigating โ closed
2026-03-23T01:43:25
analyst
Analyst classified as False Positive (FP)
2026-03-22T23:32:11
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:32:11
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-22T23:32:11
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify the parent process that initiated this installation **Sensor:** `ed8f...
2026-03-22T23:32:10
FusionSOC
Response action queued: recommended on Verify the parent process that initiated this installation
2026-03-22T23:32:10
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:32:10
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-22T23:32:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Monitor for subsequent suspicious behavior from this file **Sensor:** `ed8f...
2026-03-22T23:32:08
FusionSOC
Response action queued: recommended on Monitor for subsequent suspicious behavior from this file
2026-03-22T23:32:08
FusionSOC AI
Status changed: investigating โ investigating
2026-03-22T23:32:08
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-22T23:32:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Allow the process to complete its installation **Sensor:** `ed8f7c3f-3a1a-49...
2026-03-22T23:32:07
FusionSOC
Response action queued: recommended on Allow the process to complete its installation
2026-03-22T23:32:07
FusionSOC AI
Status changed: open โ investigating
2026-03-22T23:32:07
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-22T23:32:07
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `ed8f7c3f-3a1a-4...
2026-03-22T23:32:07
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-22T23:32:07
FusionSOC
Action tag โ executed: Tag applied
2026-03-22T23:32:07
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-22T23:32:06
FusionSOC AI
Detection 2108649d-94e0-43b5-9f0f-5dd169bff9ed triaged as false_positive (low severity, confidence: 88%)
2026-03-22T23:32:06
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB