โ
Case #494
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
high
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 85% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E3E623B-BF2B-42C9-B241-C5A534DE64CE}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
HASH:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
PARENT:
{'BASE_ADDRESS': 15925248, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 29487104, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 44412, 'THIS_ATOM': '8666c9b4a7dc808d1fd77db969c2a699', 'THREADS': 10, 'TIMESTAMP': 1774364312730, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
44412
PROCESS_ID:
45024
IOCs:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
MITRE:
T1204.002
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E3E623B-BF2B-42C9-B241-C5A534DE64CE}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
"HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"PARENT": {
"BASE_ADDRESS": 15925248,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 29487104,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 44412,
"THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
"THREADS": 10,
"TIMESTAMP": 1774364312730,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 44412,
"PROCESS_ID": 45024
},
"routing": {
"arch": 2,
"did": "",
"event_id": "97c05a81-cd08-4413-ab93-ca52e9acff57",
"event_time": 1774364676040,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 2119,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "fbbdee61ef0c2a5aaae7718a69c2a805"
}
},
"detect_id": "c008fb2c-0b46-4b3c-98f1-bc1669c2a806",
"gen_time": 1774364678161,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364676\u0026selected=fbbdee61ef0c2a5aaae7718a69c2a805",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "97c05a81-cd08-4413-ab93-ca52e9acff57",
"event_time": 1774364676040,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 2119,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "fbbdee61ef0c2a5aaae7718a69c2a805"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364678000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.85,
"false_positive_reason": "Legitimate software installation (InstallShield Setup Engine)",
"investigation_questions": [
"What software was the user \u0027Joy Howell\u0027 installing at the time of the event?",
"Are there any other unexpected processes spawned from the same Temp directory?"
],
"ioc_analysis": "The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is currently clean on VirusTotal (0/72 engines) and is recognized as a legitimate InstallShield binary. The file is also marked as signed in the detection data, and its location in the AppData\\Local\\Temp folder is expected during an installation event.",
"iocs_extracted": [
"8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
],
"mitre_techniques": [
"T1204.002"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"No further action required; mark as False Positive.",
"Consider tuning the \u0027New Process from Atypical Path\u0027 rule to exclude signed InstallShield binaries spawned from temporary directories by MsiExec.exe."
],
"risk_score": 17,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detected process \u0027ISBEW64.exe\u0027 is a legitimate component of the InstallShield 64-bit Setup Engine. It was spawned by the Windows Installer service (MsiExec.exe) from a temporary GUID folder, which is standard behavior for extracting and running setup scripts during software installation.\n\n**IOC Analysis:** The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is currently clean on VirusTotal (0/72 engines) and is recognized as a legitimate InstallShield binary. The file is also marked as signed in the detection data, and its location in the AppData\\Local\\Temp folder is expected during an installation event.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process ISBEW64.exe is a known Windows Installer executable (msiexec) variant running from a temporary directory, which is common for legitimate software installation or updates. The parent process msiexec.exe confirms this is part of the standard Windows Installer service chain.\n\n**IOC Analysis:** ISBEW64.exe is a legitimate Windows Installer helper process that runs alongside msiexec.exe during installations. The file path in AppData\\Local\\Temp is expected for temporary installer files, and the command line arguments are consistent with MSI installation parameters. The process is signed (FILE_IS_SIGNED: 1) and matches known Microsoft signing patterns.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.6\nThe process ISBEW64.exe is running from an atypical path in the Temp directory but is signed and spawned by legitimate MsiExec.exe, which could indicate a false positive or a legitimate installer component.\n\n**IOC Analysis:** The FILE_PATH is atypical for system binaries, located in the Temp folder with a GUID, but the FILE_IS_SIGNED is 1, suggesting it may be legitimate. The HASH is provided but not verified against a known database. The COMMAND_LINE contains parameters that might relate to embedding, but the parent process is expected in its directory.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: suspicious (medium, 60% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.6,
"model": "deepseek-r1:8b",
"verdict": "suspicious"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 50 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T15:55
๐ค FusionSOC AI
2026-03-24T15:55
๐ค FusionSOC AI
2026-03-24T15:55
๐ค FusionSOC AI
2026-03-24T15:54
๐ Timeline
2026-03-24T16:05:07
analyst
Status changed: investigating โ closed
2026-03-24T16:05:00
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:55:02
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:55:02
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-24T15:55:02
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the 'New Process from Atypical Path' rule to exclude signed ...
2026-03-24T15:55:01
FusionSOC
Response action queued: recommended on Consider tuning the 'New Process from Atypical Path' rule to exclude signed InstallShield binaries spawned from temporary directories by MsiExec.exe.
2026-03-24T15:55:01
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:55:01
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:55:01
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No further action required; mark as False Positive. **Sensor:** `8f3a47be-5629-4...
2026-03-24T15:55:00
FusionSOC
Response action queued: recommended on No further action required; mark as False Positive.
2026-03-24T15:55:00
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:55:00
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:55:00
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (majority) **Sensor:** `8f3a47be-5629...
2026-03-24T15:55:00
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (majority)
2026-03-24T15:55:00
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T15:55:00
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T15:54:59
FusionSOC AI
Detection c008fb2c-0b46-4b3c-98f1-bc1669c2a806 triaged as false_positive (high severity, confidence: 85%)
2026-03-24T15:54:59
FusionSOC AI
Case created from detection: general.New Process from Atypical Path