โ
Case #507
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 90% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB6EB7B4-18DD-4B87-9447-C1853F324950}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
HASH:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
PARENT:
{'BASE_ADDRESS': 15925248, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 29487104, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 44412, 'THIS_ATOM': '8666c9b4a7dc808d1fd77db969c2a699', 'THREADS': 10, 'TIMESTAMP': 1774364312730, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
44412
PROCESS_ID:
46000
IOCs:
{'type': 'file_path', 'value': 'C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe'}
{'type': 'hash', 'value': '8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB6EB7B4-18DD-4B87-9447-C1853F324950}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
"HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"PARENT": {
"BASE_ADDRESS": 15925248,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 29487104,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 44412,
"THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
"THREADS": 10,
"TIMESTAMP": 1774364312730,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 44412,
"PROCESS_ID": 46000
},
"routing": {
"arch": 2,
"did": "",
"event_id": "38cc64b0-501b-4c72-b4ea-b752ffac29ce",
"event_time": 1774364675353,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1647,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "34206ecaed2f7f8bcb67f31869c2a804"
}
},
"detect_id": "8f397de8-8f65-40f7-9808-48aa69c2a805",
"gen_time": 1774364677001,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=34206ecaed2f7f8bcb67f31869c2a804",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "38cc64b0-501b-4c72-b4ea-b752ffac29ce",
"event_time": 1774364675353,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1647,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "34206ecaed2f7f8bcb67f31869c2a804"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364677000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.9,
"false_positive_reason": "Process spawned by legitimate Windows Installer (MsiExec.exe) from expected system location, running in temporary directory which is normal for MSI operations. Historical analyst feedback consistently marks similar detections as false positives.",
"investigation_questions": [
"What software is being installed or updated?",
"Is this process part of a scheduled maintenance task?"
],
"ioc_analysis": "The file path is in AppData\\Local\\Temp, which is expected for temporary execution files. The parent process MsiExec.exe is a known Windows system binary running from its expected location (SysWOW64). The command line arguments appear to be standard MSI installation parameters. The hash and signature status are not provided as malicious indicators.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
},
{
"type": "hash",
"value": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Monitor for persistence mechanisms",
"Verify software installation activity in Windows Installer logs",
"No immediate containment required"
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is running from a temporary directory and appears to be spawned by Windows Installer (MsiExec.exe), which is a common legitimate activity for software installation or updates. Historical analyst feedback consistently flags similar detections as false positives.\n\n**IOC Analysis:** The file path is in AppData\\Local\\Temp, which is expected for temporary execution files. The parent process MsiExec.exe is a known Windows system binary running from its expected location (SysWOW64). The command line arguments appear to be standard MSI installation parameters. The hash and signature status are not provided as malicious indicators.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a process from an atypical path in the Temp folder, but it is likely a false positive as it is spawned by a legitimate MsiExec.exe process, commonly used for software installations. The signed binary may be part of a legitimate update or temporary operation.\n\n**IOC Analysis:** The FILE_PATH is in the Temp directory, which is common for temporary files and can be legitimate. However, it is spawned by MsiExec.exe (a legitimate system process for MSI installations), which reduces suspicion. The HASH is present but not cross-referenced here; the FILE_IS_SIGNED status does not guarantee legitimacy without trusted signer verification. Overall, the context suggests benign activity.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T16:36
๐ค FusionSOC AI
2026-03-24T16:36
๐ค FusionSOC AI
2026-03-24T16:36
๐ค FusionSOC AI
2026-03-24T16:36
๐ค FusionSOC AI
2026-03-24T16:36
๐ Timeline
2026-03-24T17:23:31
analyst
Status changed: investigating โ closed
2026-03-24T17:23:22
analyst
Analyst classified as False Positive (FP)
2026-03-24T16:36:06
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:36:06
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:36:06
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No immediate containment required **Sensor:** `8f3a47be-5629-4c...` **Time Windo...
2026-03-24T16:36:06
FusionSOC
Response action queued: recommended on No immediate containment required
2026-03-24T16:36:06
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:36:06
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:36:06
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify software installation activity in Windows Installer logs **Sensor:** `8f3...
2026-03-24T16:36:06
FusionSOC
Response action queued: recommended on Verify software installation activity in Windows Installer logs
2026-03-24T16:36:06
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T16:36:06
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T16:36:06
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Monitor for persistence mechanisms **Sensor:** `8f3a47be-5629-4c...` **Time Window:**...
2026-03-24T16:36:05
FusionSOC
Response action queued: recommended on Monitor for persistence mechanisms
2026-03-24T16:36:05
FusionSOC AI
Status changed: open โ investigating
2026-03-24T16:36:05
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T16:36:05
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T16:36:05
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T16:36:05
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T16:36:05
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T16:36:05
FusionSOC AI
Detection 8f397de8-8f65-40f7-9808-48aa69c2a805 triaged as false_positive (low severity, confidence: 90%)
2026-03-24T16:36:05
FusionSOC AI
Case created from detection: general.New Process from Atypical Path