โ
Case #505
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 88% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA32F2AE-01F2-4320-9253-AC09FDDEBC6B}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
HASH:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
PARENT:
{'BASE_ADDRESS': 15925248, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 29487104, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 44412, 'THIS_ATOM': '8666c9b4a7dc808d1fd77db969c2a699', 'THREADS': 10, 'TIMESTAMP': 1774364312730, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
44412
PROCESS_ID:
38236
IOCs:
{'type': 'file_path', 'value': 'C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe'}
{'type': 'hash', 'value': '8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA32F2AE-01F2-4320-9253-AC09FDDEBC6B}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
"HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"PARENT": {
"BASE_ADDRESS": 15925248,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 29487104,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 44412,
"THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
"THREADS": 10,
"TIMESTAMP": 1774364312730,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 44412,
"PROCESS_ID": 38236
},
"routing": {
"arch": 2,
"did": "",
"event_id": "fb249cc2-7008-4102-bb65-5c6df736dc04",
"event_time": 1774364675399,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1605,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "9f9467f1c7573d29bc8fe6ea69c2a804"
}
},
"detect_id": "5f5d140b-aa28-44b6-8832-850569c2a805",
"gen_time": 1774364677006,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=9f9467f1c7573d29bc8fe6ea69c2a804",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "fb249cc2-7008-4102-bb65-5c6df736dc04",
"event_time": 1774364675399,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1605,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "9f9467f1c7573d29bc8fe6ea69c2a804"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364677000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.875,
"false_positive_reason": "ISBEW64.exe is a legitimate Microsoft installer component running from Temp directory during normal installation activities. The parent process msiexec.exe confirms this is standard Windows Installer behavior.",
"investigation_questions": [
"What application is currently being installed on this system?",
"Is there an active Windows Update or software deployment scheduled?"
],
"ioc_analysis": "ISBEW64.exe is a well-known Microsoft installer component that runs in the Temp directory during installations. The command line arguments with GUIDs are standard MSI transaction identifiers used by legitimate installers. The file is signed and matches known Microsoft binaries, making this a false positive for malware detection.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
},
{
"type": "hash",
"value": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Log this event as a false positive for future reference",
"No immediate action required - allow process to complete installation",
"Monitor parent process msiexec.exe for any anomalies"
],
"risk_score": 20,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is a known Windows Installer executable (MSI) running from a temporary directory, which is typical for legitimate installation activities. The parent process msiexec.exe confirms this is part of the standard Windows Installer workflow.\n\n**IOC Analysis:** ISBEW64.exe is a well-known Microsoft installer component that runs in the Temp directory during installations. The command line arguments with GUIDs are standard MSI transaction identifiers used by legitimate installers. The file is signed and matches known Microsoft binaries, making this a false positive for malware detection.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.85\nThe process ISBEW64.exe is spawned by MsiExec.exe, a legitimate system process for software installation, and is located in the Temp folder, which is common for temporary files. The file is signed, suggesting it may be part of a legitimate deployment.\n\n**IOC Analysis:** The FILE_PATH is atypical (C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\...) but the parent process is MsiExec.exe from SysWOW64, which is legitimate. The HASH is signed, but the unknown signer does not definitively confirm legitimacy. Given the parent context, it is likely benign.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 85% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.85,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T16:29
๐ค FusionSOC AI
2026-03-24T16:29
๐ค FusionSOC AI
2026-03-24T16:29
๐ค FusionSOC AI
2026-03-24T16:29
๐ค FusionSOC AI
2026-03-24T16:29
๐ Timeline
2026-03-24T17:23:31
analyst
Status changed: investigating โ closed
2026-03-24T17:23:22
analyst
Analyst classified as False Positive (FP)
2026-03-24T16:29:19
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:29:19
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T16:29:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor parent process msiexec.exe for any anomalies **Sensor:** `8f3a47be-5...
2026-03-24T16:29:19
FusionSOC
Response action queued: recommended on Monitor parent process msiexec.exe for any anomalies
2026-03-24T16:29:19
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:29:19
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T16:29:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** No immediate action required - allow process to complete installation **Sens...
2026-03-24T16:29:19
FusionSOC
Response action queued: recommended on No immediate action required - allow process to complete installation
2026-03-24T16:29:19
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:29:19
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:29:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log this event as a false positive for future reference **Sensor:** `8f3a47be-56...
2026-03-24T16:29:19
FusionSOC
Response action queued: recommended on Log this event as a false positive for future reference
2026-03-24T16:29:19
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:29:19
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:29:19
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T16:29:18
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T16:29:18
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T16:29:18
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T16:29:18
FusionSOC AI
Detection 5f5d140b-aa28-44b6-8832-850569c2a805 triaged as false_positive (low severity, confidence: 88%)
2026-03-24T16:29:18
FusionSOC AI
Case created from detection: general.New Process from Atypical Path