โ
Case #483
general.New Process From Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process From Atypical Path
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
140699588624384
COMMAND_LINE:
C:\Users\ADMINI~1\AppData\Local\Temp\ADE7DECC-AB94-4557-A220-74663BA0AFBB\dismhost.exe {E25FA26D-F236-46A8-A03D-73E772882412}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\ADMINI~1\AppData\Local\Temp\ADE7DECC-AB94-4557-A220-74663BA0AFBB\dismhost.exe
HASH:
0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32
MEMORY_USAGE:
8581120
PARENT:
{'BASE_ADDRESS': 140700803989504, 'COMMAND_LINE': 'C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\system32\\cleanmgr.exe', 'HASH': '1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b', 'MEMORY_USAGE': 14024704, 'PARENT_ATOM': '3345e9ced8853bf86157712c69c2a7fc', 'PARENT_PROCESS_ID': 1696, 'PROCESS_ID': 788, 'THIS_ATOM': '75319d0baed2c3b328754ea569c2aa38', 'THREADS': 8, 'TIMESTAMP': 1774365239990, 'USER_NAME': 'DFLABSDC01\\Administrator'}
PARENT_PROCESS_ID:
788
PROCESS_ID:
1200
THREADS:
8
USER_NAME:
DFLABSDC01\Administrator
IOCs:
0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32
1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b
C:\Users\ADMINI~1\AppData\Local\Temp\ADE7DECC-AB94-4557-A220-74663BA0AFBB\dismhost.exe
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"BASE_ADDRESS": 140699588624384,
"COMMAND_LINE": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\ADE7DECC-AB94-4557-A220-74663BA0AFBB\\dismhost.exe {E25FA26D-F236-46A8-A03D-73E772882412}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\ADE7DECC-AB94-4557-A220-74663BA0AFBB\\dismhost.exe",
"HASH": "0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32",
"MEMORY_USAGE": 8581120,
"PARENT": {
"BASE_ADDRESS": 140700803989504,
"COMMAND_LINE": "C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\cleanmgr.exe",
"HASH": "1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b",
"MEMORY_USAGE": 14024704,
"PARENT_ATOM": "3345e9ced8853bf86157712c69c2a7fc",
"PARENT_PROCESS_ID": 1696,
"PROCESS_ID": 788,
"THIS_ATOM": "75319d0baed2c3b328754ea569c2aa38",
"THREADS": 8,
"TIMESTAMP": 1774365239990,
"USER_NAME": "DFLABSDC01\\Administrator"
},
"PARENT_PROCESS_ID": 788,
"PROCESS_ID": 1200,
"THREADS": 8,
"USER_NAME": "DFLABSDC01\\Administrator"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "9a01b6d8-9fc1-4bcb-a66d-f6c6acb8d31f",
"event_time": 1774365241536,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2831,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "75319d0baed2c3b328754ea569c2aa38",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "008bdecd776d9340583b21d469c2aa3b"
}
},
"detect_id": "760eea12-b2ec-40a8-93dd-1ccd69c2aa3c",
"gen_time": 1774365244371,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774365241\u0026selected=008bdecd776d9340583b21d469c2aa3b",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "9a01b6d8-9fc1-4bcb-a66d-f6c6acb8d31f",
"event_time": 1774365241536,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 2831,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "75319d0baed2c3b328754ea569c2aa38",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "008bdecd776d9340583b21d469c2aa3b"
},
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "general.New Process From Atypical Path",
"ts": 1774365244000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate system maintenance activity (Disk Cleanup) spawning a transient DISM host process in a temporary folder.",
"investigation_questions": [],
"ioc_analysis": "dismhost.exe (0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32) and cleanmgr.exe (1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b) are both legitimate, signed Microsoft binaries. The temporary path for dismhost.exe is expected during DISM operations.",
"iocs_extracted": [
"0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32",
"1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b",
"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\ADE7DECC-AB94-4557-A220-74663BA0AFBB\\dismhost.exe"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whistelist dismhost.exe execution from AppData\\Local\\Temp when the parent process is cleanmgr.exe.",
"Close this alert as a false positive."
],
"risk_score": 7,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on \u0027dismhost.exe\u0027 running from a temporary directory, which is standard behavior for the Windows Deployment Image Servicing and Management tool when invoked by \u0027cleanmgr.exe\u0027 (Disk Cleanup) during system maintenance. Both the parent and child processes are Microsoft-signed binaries, and the execution context (/autoclean) confirms this as legitimate OS activity.\n\n**IOC Analysis:** dismhost.exe (0f25d825e0caa7574353951c11131bda85fd7792957467f23b24fa9a7d3d9d32) and cleanmgr.exe (1bdab94440132410d1ab623ded8f2427b34c233a063a150617af271b9394025b) are both legitimate, signed Microsoft binaries. The temporary path for dismhost.exe is expected during DISM operations.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because dismhost.exe is a legitimate Microsoft tool used for Windows Deployment Services and runs from the Temp directory during administrative maintenance tasks.\n\n**IOC Analysis:** The process dismhost.exe is a known Microsoft-signed binary (FILE_IS_SIGNED: 1) with a valid hash. It was spawned by cleanmgr.exe, which is a legitimate system utility for disk cleanup. The execution in the Temp directory is consistent with temporary deployment operations.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process dismhost.exe is running from a temporary directory, which is atypical, but it is signed and spawned by cleanmgr.exe, a legitimate Windows utility for system maintenance. This behavior is common and likely indicates a false positive.\n\n**IOC Analysis:** The FILE_PATH is in a temporary directory, which can be legitimate for system tools like DISM. The HASH is present but not verified against a database; however, the FILE_IS_SIGNED status and the legitimate parent process (cleanmgr.exe) suggest it is not malicious. The IOC is benign due to the context of system maintenance.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T15:28
๐ค FusionSOC AI
2026-03-24T15:28
๐ค FusionSOC AI
2026-03-24T15:27
๐ค FusionSOC AI
2026-03-24T15:27
๐ Timeline
2026-03-24T16:03:15
analyst
Status changed: investigating โ closed
2026-03-24T16:03:10
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:28:01
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:28:01
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:28:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive. **Sensor:** `e4a1c62d-4d1f-44...` **Time W...
2026-03-24T15:28:00
FusionSOC
Response action queued: recommended on Close this alert as a false positive.
2026-03-24T15:28:00
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:28:00
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T15:28:00
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Whistelist dismhost.exe execution from AppData\Local\Temp when the parent pr...
2026-03-24T15:27:59
FusionSOC
Response action queued: recommended on Whistelist dismhost.exe execution from AppData\Local\Temp when the parent process is cleanmgr.exe.
2026-03-24T15:27:59
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:27:59
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:27:59
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-24T15:27:59
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T15:27:59
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T15:27:59
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T15:27:59
FusionSOC AI
Detection 760eea12-b2ec-40a8-93dd-1ccd69c2aa3c triaged as false_positive (low severity, confidence: 95%)
2026-03-24T15:27:59
FusionSOC AI
Case created from detection: general.New Process From Atypical Path