โ
Case #518
general.New Process from Atypical Path
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Process from Atypical Path
low
Rule: general.New Process from Atypical Path
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 90% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\Users\JOYHOW~1\AppData\Local\Temp\wacF0D7.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5074918C-5EB0-4969-98B7-1A21CEBBFD4F}
FILE_IS_SIGNED:
1
FILE_PATH:
C:\Users\JOYHOW~1\AppData\Local\Temp\wacF0D7.tmp
HASH:
081491c300116646e02fca9982e69f663893e8b7b29708d2bac2ce8dadeb245a
PARENT:
{'BASE_ADDRESS': 15925248, 'COMMAND_LINE': 'C:\\Windows\\syswow64\\MsiExec.exe -Embedding 530945073EC63E68AF3654CF6EFD13FC E Global\\MSI0000', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\syswow64\\MsiExec.exe', 'HASH': '34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c', 'MEMORY_USAGE': 14524416, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 42100, 'THIS_ATOM': '02559b07fd44d57f73ea6c7669c2a6b2', 'THREADS': 8, 'TIMESTAMP': 1774364337660, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
42100
PROCESS_ID:
44608
IOCs:
{'type': 'file_path', 'value': 'C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\wacF0D7.tmp'}
{'type': 'hash', 'value': '081491c300116646e02fca9982e69f663893e8b7b29708d2bac2ce8dadeb245a'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Process from Atypical Path",
"detect": {
"event": {
"COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\wacF0D7.tmp {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5074918C-5EB0-4969-98B7-1A21CEBBFD4F}",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\wacF0D7.tmp",
"HASH": "081491c300116646e02fca9982e69f663893e8b7b29708d2bac2ce8dadeb245a",
"PARENT": {
"BASE_ADDRESS": 15925248,
"COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 530945073EC63E68AF3654CF6EFD13FC E Global\\MSI0000",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
"HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
"MEMORY_USAGE": 14524416,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 42100,
"THIS_ATOM": "02559b07fd44d57f73ea6c7669c2a6b2",
"THREADS": 8,
"TIMESTAMP": 1774364337660,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 42100,
"PROCESS_ID": 44608
},
"routing": {
"arch": 2,
"did": "",
"event_id": "219c2ebe-1eef-442e-8374-c5f80ab05127",
"event_time": 1774364665984,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1162,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "02559b07fd44d57f73ea6c7669c2a6b2",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "6bbfc80c2460b1fd45b6d3b569c2a7fa"
}
},
"detect_id": "0aeebde7-0121-47ea-b962-e3df69c2a7fb",
"gen_time": 1774364667147,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364665\u0026selected=6bbfc80c2460b1fd45b6d3b569c2a7fa",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "219c2ebe-1eef-442e-8374-c5f80ab05127",
"event_time": 1774364665984,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1162,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "02559b07fd44d57f73ea6c7669c2a6b2",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "6bbfc80c2460b1fd45b6d3b569c2a7fa"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.New Process from Atypical Path",
"ts": 1774364667000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": -1,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.9,
"false_positive_reason": "The process is a legitimate Windows Installer executable (msiexec.exe) running from its expected location and signed by Microsoft. The child process appears to be a legitimate MSI installation or repair operation, likely triggered by Windows Update or SCCM.",
"investigation_questions": [
"What application is being installed or repaired?",
"Is there a scheduled task or service that triggered this installation?"
],
"ioc_analysis": "The parent process msiexec.exe is located in C:\\Windows\\syswow64\\ which is an expected location for 32-bit system binaries. The file is signed (FILE_IS_SIGNED: 1). The child process appears to be a legitimate MSI installation or repair operation, likely triggered by Windows Update or SCCM.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\wacF0D7.tmp"
},
{
"type": "hash",
"value": "081491c300116646e02fca9982e69f663893e8b7b29708d2bac2ce8dadeb245a"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Allow the process to complete its installation/repair operation",
"Monitor for any unexpected child processes or network connections from this process",
"Log the event as informational for future reference"
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThis detection is a false positive because the process is a legitimate Windows Installer executable (msiexec.exe) running from its expected location and signed by Microsoft.\n\n**IOC Analysis:** The parent process msiexec.exe is located in C:\\Windows\\syswow64\\ which is an expected location for 32-bit system binaries. The file is signed (FILE_IS_SIGNED: 1). The child process appears to be a legitimate MSI installation or repair operation, likely triggered by Windows Update or SCCM.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process is likely benign as it is spawned by a legitimate system process (MsiExec.exe) and the file is signed, despite being located in a non-standard path which is common during MSI installations.\n\n**IOC Analysis:** The FILE_PATH is atypical for system binaries but contextually benign due to the parent process being MsiExec.exe from the expected directory. The file is signed, which aligns with legitimate software, and the command line appears related to software installation processes.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (8)
๐ค FusionSOC AI
2026-03-24T17:28
๐ค FusionSOC AI
2026-03-24T17:28
๐ค FusionSOC AI
2026-03-24T17:28
๐ค FusionSOC AI
2026-03-24T17:28
๐ค FusionSOC AI
2026-03-24T17:09
๐ค FusionSOC AI
2026-03-24T17:09
๐ค FusionSOC AI
2026-03-24T17:09
๐ค FusionSOC AI
2026-03-24T17:09
๐ Timeline
2026-03-24T17:36:03
analyst
Status changed: investigating โ closed
2026-03-24T17:35:56
analyst
Analyst classified as False Positive (FP)
2026-03-24T17:28:42
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:28:42
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:28:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log the event as informational for future reference **Sensor:** `8f3a47be-5629-4...
2026-03-24T17:28:42
FusionSOC
Response action queued: recommended on Log the event as informational for future reference
2026-03-24T17:28:42
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:28:42
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T17:28:42
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Monitor for any unexpected child processes or network connections from this ...
2026-03-24T17:28:41
FusionSOC
Response action queued: recommended on Monitor for any unexpected child processes or network connections from this process
2026-03-24T17:28:41
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:28:41
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T17:28:41
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Allow the process to complete its installation/repair operation **Sensor:** ...
2026-03-24T17:28:41
FusionSOC
Response action queued: recommended on Allow the process to complete its installation/repair operation
2026-03-24T17:28:41
FusionSOC AI
Status changed: closed โ investigating
2026-03-24T17:28:41
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:28:41
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T17:28:41
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T17:28:41
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T17:28:40
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T17:23:31
analyst
Status changed: investigating โ closed
2026-03-24T17:23:22
analyst
Analyst classified as False Positive (FP)
2026-03-24T17:09:18
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:09:18
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T17:09:18
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Tune the 'New Process from Atypical Path' rule to exclude signed binaries sp...
2026-03-24T17:09:18
FusionSOC
Response action queued: recommended on Tune the 'New Process from Atypical Path' rule to exclude signed binaries spawned by MsiExec.exe with GUID-based command lines
2026-03-24T17:09:18
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:09:18
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:09:18
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist the specific hash if it is part of a standard corporate software packa...
2026-03-24T17:09:17
FusionSOC
Response action queued: recommended on Whitelist the specific hash if it is part of a standard corporate software package
2026-03-24T17:09:17
FusionSOC AI
Status changed: open โ investigating
2026-03-24T17:09:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:09:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T17:09:17
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T17:09:17
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T17:09:17
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T17:09:17
FusionSOC AI
Detection 0aeebde7-0121-47ea-b962-e3df69c2a7fb triaged as false_positive (low severity, confidence: 92%)
2026-03-24T17:09:17
FusionSOC AI
Case created from detection: general.New Process from Atypical Path