{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Code Atypical Path",
  "detect": {
    "event": {
      "FILE_PATH": "C:\\Windows\\Temp\\{D7297F9B-E224-470B-81F1-107AB96DA581}\\.cr\\vc_redist.x86.exe",
      "HASH": "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828",
      "PROCESS_ID": 6636
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "acf32026-046e-47fd-a539-70a6478d6b3a",
      "event_time": 1774799750821,
      "event_type": "NEW_DOCUMENT",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-3nfb237",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.40",
      "latency": 1261,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "298dcb04334f3d9cecc556a069c94b7c",
      "plat": 268435456,
      "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "qucikbooks",
        "windows",
        "yara_detection_memory"
      ],
      "this": "4fd45ba73acfc8195659ca4469c94b87"
    }
  },
  "detect_id": "15c93180-4bd3-44f3-a574-02d069c94b88",
  "gen_time": 1774799752084,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774799750\u0026selected=4fd45ba73acfc8195659ca4469c94b87",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "acf32026-046e-47fd-a539-70a6478d6b3a",
    "event_time": 1774799750821,
    "event_type": "NEW_DOCUMENT",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-3nfb237",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.40",
    "latency": 1261,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "298dcb04334f3d9cecc556a069c94b7c",
    "plat": 268435456,
    "sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "qucikbooks",
      "windows",
      "yara_detection_memory"
    ],
    "this": "4fd45ba73acfc8195659ca4469c94b87"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
  "source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
  "ts": 1774799752000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 1,
      "type-unsupported": 4,
      "undetected": 71
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": "Legitimate Microsoft Visual C++ Redistributable installer staging in temporary directory during software installation/update. Historical data for this rule indicates 100% false positive rate for similar patterns.",
  "investigation_questions": [
    "Was a software installation or update occurring on the host at the time of the event?"
  ],
  "ioc_analysis": "The file name \u0027vc_redist.x86.exe\u0027 corresponds to a known Microsoft component. The path \u0027C:\\Windows\\Temp\\{GUID}\\.cr\\\u0027 is consistent with temporary extraction during software installation or updates, rather than malicious persistence.",
  "iocs_extracted": [
    "C:\\Windows\\Temp\\{D7297F9B-E224-470B-81F1-107AB96DA581}\\.cr\\vc_redist.x86.exe",
    "4a6e1044ff0f49d2e3b12f7c40352c7e573e0c58f3b3cc0b55b63c95ede87828"
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Close case as false positive",
    "Verify if software installation was in progress on the host",
    "Consider tuning rule to exclude vc_redist in Temp paths"
  ],
  "risk_score": 10,
  "severity": "high",
  "summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detected file is a legitimate Microsoft Visual C++ Redistributable installer staging in a temporary directory. Historical analysis of this specific detection rule shows a 100% false positive rate for similar temporary path patterns.\n\n**IOC Analysis:** The file name \u0027vc_redist.x86.exe\u0027 corresponds to a known Microsoft component. The path \u0027C:\\Windows\\Temp\\{GUID}\\.cr\\\u0027 is consistent with temporary extraction during software installation or updates, rather than malicious persistence.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 deepseek-r1:14b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 1,
    "vote_summary": [
      "dgx-122b: false_positive (low, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "dgx-122b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "false_positive"
  }
}