{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\{7D13A75A-96DE-4AA2-B319-DBE9D3E01E20}\\.cr\\vc_redist.x64.exe",
      "HASH": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd",
      "PROCESS_ID": 16612
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "f98105ca-6aef-4779-8f65-b6d517d4b6cd",
      "event_time": 1774189030893,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 663,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "3f311cfad093e4beb71ccb8d69bff9e3",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows"
      ],
      "this": "d8e096b83a2277b7b81f5bfd69bff9e7"
    }
  },
  "detect_id": "3eaf45ff-2bad-4025-9918-42a569bff9e7",
  "gen_time": 1774189031559,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774189030\u0026selected=d8e096b83a2277b7b81f5bfd69bff9e7",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "f98105ca-6aef-4779-8f65-b6d517d4b6cd",
    "event_time": 1774189030893,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 663,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "3f311cfad093e4beb71ccb8d69bff9e3",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows"
    ],
    "this": "d8e096b83a2277b7b81f5bfd69bff9e7"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774189031000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 1,
      "type-unsupported": 4,
      "undetected": 71
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": "Microsoft Visual C++ Redistributable installers commonly run from Windows Temp directory and are legitimate software distribution files. The detection rule flags new file writes but does not account for common legitimate software installation patterns.",
  "investigation_questions": [
    "Is the application requesting this redistributable installed?",
    "Has this file been moved to Program Files upon completion?",
    "Are there any other suspicious processes running alongside this installer?"
  ],
  "ioc_analysis": "The file vc_redist.x64.exe is a well-known Microsoft Visual C++ redistributable installer, commonly used by applications requiring .NET runtime support. The location in C:\\Windows\\Temp\\ is standard for temporary installation files that may be moved to Program Files upon completion. The process name matches expected behavior for legitimate software distribution.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\Temp\\{7D13A75A-96DE-4AA2-B319-DBE9D3E01E20}\\vc_redist.x64.exe"
    },
    {
      "type": "file_hash",
      "value": "568c9ba533624084ea18f7a562b4aa2249ed4e41281524a061a0d0b1008cf6bd"
    }
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Allow this process type in future detections",
    "Document as known false positive for Microsoft redistributables",
    "Monitor for unusual behavior if file persists beyond expected timeframe"
  ],
  "risk_score": 10,
  "severity": "high",
  "summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive for a legitimate Microsoft Visual C++ Redistributable installer running from the Windows Temp directory. The process name and file extension are consistent with known software distribution patterns.\n\n**IOC Analysis:** The file vc_redist.x64.exe is a well-known Microsoft Visual C++ redistributable installer, commonly used by applications requiring .NET runtime support. The location in C:\\Windows\\Temp\\ is standard for temporary installation files that may be moved to Program Files upon completion. The process name matches expected behavior for legitimate software distribution.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 1,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "false_positive"
  }
}