โ
Case #490
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 88% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
9306112
COMMAND_LINE:
"C:\Users\JOYHOW~1\AppData\Local\Temp\\dbfhide.exe" "C:\Program Files\Intuit\QuickBooks Enterprise Solutions 24.0\\util_db_temp.ini" "C:\Program Files\Intuit\QuickBooks Enterprise Solutions 24.0\\util_db.ini"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\dbfhide.exe
HASH:
9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b
MEMORY_USAGE:
5513216
PARENT:
{'BASE_ADDRESS': 140696016846848, 'COMMAND_LINE': 'C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\MsiExec.exe', 'HASH': '677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e', 'MEMORY_USAGE': 14663680, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 31932, 'THIS_ATOM': '0e2be6b24c56dfa0613f286f69c2a672', 'THREADS': 8, 'TIMESTAMP': 1774364274142, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
31932
PROCESS_ID:
32984
THREADS:
1
USER_NAME:
DESKTOP-ATSEPSK\Joy Howell
IOCs:
9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b
C:\Users\JOYHOW~1\AppData\Local\Temp\dbfhide.exe
MITRE:
T1218.007
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"BASE_ADDRESS": 9306112,
"COMMAND_LINE": "\"C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\\\dbfhide.exe\" \"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0\\\\util_db_temp.ini\" \"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0\\\\util_db.ini\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\dbfhide.exe",
"HASH": "9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b",
"MEMORY_USAGE": 5513216,
"PARENT": {
"BASE_ADDRESS": 140696016846848,
"COMMAND_LINE": "C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\MsiExec.exe",
"HASH": "677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e",
"MEMORY_USAGE": 14663680,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 31932,
"THIS_ATOM": "0e2be6b24c56dfa0613f286f69c2a672",
"THREADS": 8,
"TIMESTAMP": 1774364274142,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 31932,
"PROCESS_ID": 32984,
"THREADS": 1,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "2beec65b-2c35-4ce8-a50f-ce836946e3f4",
"event_time": 1774364678467,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 810,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "be6bff3034bc681683b4d40b69c2a806"
}
},
"detect_id": "915dec61-1f9f-452d-9b5d-0f3669c2a807",
"gen_time": 1774364679279,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364678\u0026selected=be6bff3034bc681683b4d40b69c2a806",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "2beec65b-2c35-4ce8-a50f-ce836946e3f4",
"event_time": 1774364678467,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 810,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "be6bff3034bc681683b4d40b69c2a806"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364679000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": true,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 1,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.883,
"false_positive_reason": "Software installation/update",
"investigation_questions": [
"Was there a scheduled update or manual installation of QuickBooks on this host during this time?"
],
"ioc_analysis": "The process \u0027dbfhide.exe\u0027 is a signed component of QuickBooks. The parent process is the legitimate Windows Installer \u0027MsiExec.exe\u0027. The command line arguments specifically reference QuickBooks configuration files (util_db_temp.ini, util_db.ini), further confirming it as legitimate software activity.",
"iocs_extracted": [
"9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b",
"C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\dbfhide.exe"
],
"mitre_techniques": [
"T1218.007"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close the case as a False Positive.",
"Consider whitelisting signed binaries from Intuit or the specific hash for dbfhide.exe if this rule triggers frequently during updates."
],
"risk_score": 12,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection is a false positive triggered by a legitimate installation of QuickBooks Enterprise Solutions 24.0. The process \u0027dbfhide.exe\u0027 was spawned by the Windows Installer (MsiExec.exe) from a temporary directory, which is standard behavior for software installation and configuration.\n\n**IOC Analysis:** The process \u0027dbfhide.exe\u0027 is a signed component of QuickBooks. The parent process is the legitimate Windows Installer \u0027MsiExec.exe\u0027. The command line arguments specifically reference QuickBooks configuration files (util_db_temp.ini, util_db.ini), further confirming it as legitimate software activity.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process dbfhide.exe is a legitimate QuickBooks database helper utility running from a temporary directory with Microsoft-signed binaries and known parent processes (MsiExec). Historical analyst feedback consistently flags similar detections as false positives.\n\n**IOC Analysis:** The file path C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\dbfhide.exe is atypical but consistent with legitimate QuickBooks database utilities. The process is Microsoft-signed and launched by MsiExec.exe, a known Windows Installer executable. Command line arguments reference Intuit QuickBooks configuration files, indicating legitimate database maintenance activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nA new process from the Temp directory is spawned by a legitimate MsiExec.exe process and interacts with QuickBooks files. Given the context and IOC validation, it is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH is atypical for system binaries, but it is spawned by a legitimate MsiExec.exe process in System32. The process is signed, which is typical for legitimate software, and the command line references legitimate QuickBooks files. This aligns with common false positive scenarios for processes from the Temp directory when associated with trusted parents.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 95% confidence)",
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 80% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T15:44
๐ค FusionSOC AI
2026-03-24T15:44
๐ค FusionSOC AI
2026-03-24T15:44
๐ค FusionSOC AI
2026-03-24T15:44
๐ Timeline
2026-03-24T16:05:07
analyst
Status changed: investigating โ closed
2026-03-24T16:05:00
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:44:03
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:44:03
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:44:03
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Consider whitelisting signed binaries from Intuit or the specific hash for dbfhi...
2026-03-24T15:44:02
FusionSOC
Response action queued: recommended on Consider whitelisting signed binaries from Intuit or the specific hash for dbfhide.exe if this rule triggers frequently during updates.
2026-03-24T15:44:02
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:44:02
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:44:02
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the case as a False Positive. **Sensor:** `8f3a47be-5629-4c...` **Time Win...
2026-03-24T15:44:02
FusionSOC
Response action queued: recommended on Close the case as a False Positive.
2026-03-24T15:44:02
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:44:02
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:44:02
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T15:44:02
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T15:44:02
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T15:44:02
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T15:44:02
FusionSOC AI
Detection 915dec61-1f9f-452d-9b5d-0f3669c2a807 triaged as false_positive (low severity, confidence: 88%)
2026-03-24T15:44:02
FusionSOC AI
Case created from detection: general.New Process from Atypical Path