โ
Case #504
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 85% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62BD925-DBA2-49D7-B9B9-397202FA6756}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
HASH:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
PARENT:
{'BASE_ADDRESS': 15925248, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 29487104, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 44412, 'THIS_ATOM': '8666c9b4a7dc808d1fd77db969c2a699', 'THREADS': 10, 'TIMESTAMP': 1774364312730, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
44412
PROCESS_ID:
39460
IOCs:
{'type': 'file_path', 'value': 'C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe'}
{'type': 'hash', 'value': '8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62BD925-DBA2-49D7-B9B9-397202FA6756}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
"HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"PARENT": {
"BASE_ADDRESS": 15925248,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 29487104,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 44412,
"THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
"THREADS": 10,
"TIMESTAMP": 1774364312730,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 44412,
"PROCESS_ID": 39460
},
"routing": {
"arch": 2,
"did": "",
"event_id": "6f2a099e-dc23-4a5a-a9f4-6d60d63eaa86",
"event_time": 1774364675442,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1565,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "21dfa0e5efb3279ef7945d7d69c2a804"
}
},
"detect_id": "da00eee5-96bd-4802-b20b-62cf69c2a805",
"gen_time": 1774364677008,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=21dfa0e5efb3279ef7945d7d69c2a804",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "6f2a099e-dc23-4a5a-a9f4-6d60d63eaa86",
"event_time": 1774364675442,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1565,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "21dfa0e5efb3279ef7945d7d69c2a804"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364677000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.85,
"false_positive_reason": "ISBEW64.exe is a legitimate Windows Installer helper binary. The detection rule flags atypical paths, but temporary directories are expected for installer components. The parent process MsiExec.exe confirms this is part of the standard Windows installation framework.",
"investigation_questions": [
"What is the source of the MSI installation?",
"Is there a pending Windows update or software installation in progress?"
],
"ioc_analysis": "ISBEW64.exe is a well-known Windows Installer helper binary that runs alongside msiexec.exe. The presence of GUIDs in the command line is typical for MSI operations. The file is signed and located in AppData\\Local\\Temp, which is expected behavior for temporary installer components.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
},
{
"type": "hash",
"value": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Monitor for unusual behavior from this process",
"Verify the MSI installation source if not already done"
],
"risk_score": 15,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is a known Windows Installer executable (msiexec) variant running from a temporary directory, which is common for legitimate MSI installations. The parent process MsiExec.exe confirms this is part of the standard Windows installation framework.\n\n**IOC Analysis:** ISBEW64.exe is a well-known Windows Installer helper binary that runs alongside msiexec.exe. The presence of GUIDs in the command line is typical for MSI operations. The file is signed and located in AppData\\Local\\Temp, which is expected behavior for temporary installer components.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe process ISBEW64.exe is spawned by MsiExec.exe, a legitimate system process, and is located in the Temp folder. The file is signed, suggesting it may be part of a legitimate software installation.\n\n**IOC Analysis:** FILE_PATH is atypical for system binaries, but the parent process is a known legitimate system binary (MsiExec.exe) from its expected location. The hash is present and the file is signed, reducing suspicion of malicious intent.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 80% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T16:25
๐ค FusionSOC AI
2026-03-24T16:25
๐ค FusionSOC AI
2026-03-24T16:25
๐ค FusionSOC AI
2026-03-24T16:25
๐ Timeline
2026-03-24T17:23:31
analyst
Status changed: investigating โ closed
2026-03-24T17:23:22
analyst
Analyst classified as False Positive (FP)
2026-03-24T16:25:55
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:25:55
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:25:55
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify the MSI installation source if not already done **Sensor:** `8f3a47be-562...
2026-03-24T16:25:55
FusionSOC
Response action queued: recommended on Verify the MSI installation source if not already done
2026-03-24T16:25:55
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:25:55
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T16:25:55
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for unusual behavior from this process **Sensor:** `8f3a47be-5629-4c...
2026-03-24T16:25:54
FusionSOC
Response action queued: recommended on Monitor for unusual behavior from this process
2026-03-24T16:25:54
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:25:54
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:25:54
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T16:25:54
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T16:25:54
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T16:25:54
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T16:25:54
FusionSOC AI
Detection da00eee5-96bd-4802-b20b-62cf69c2a805 triaged as false_positive (low severity, confidence: 85%)
2026-03-24T16:25:54
FusionSOC AI
Case created from detection: general.New Process from Atypical Path