{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Process from Atypical Path",
  "detect": {
    "event": {
      "COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9BD2097-94F6-4E86-BF71-876B8086CBBF}",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
      "HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
      "PARENT": {
        "BASE_ADDRESS": 15925248,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 29487104,
        "PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
        "PARENT_PROCESS_ID": 38156,
        "PROCESS_ID": 44412,
        "THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
        "THREADS": 10,
        "TIMESTAMP": 1774364312730,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 44412,
      "PROCESS_ID": 40800
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "56960ff2-6a88-4fc2-ad20-a61bdae343c7",
      "event_time": 1774364675914,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 1104,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "8666c9b4a7dc808d1fd77db969c2a699",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "2a9e8a6caab339509c6296bd69c2a804"
    }
  },
  "detect_id": "6de69553-dc1e-44f2-8604-4ab469c2a805",
  "gen_time": 1774364677020,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=2a9e8a6caab339509c6296bd69c2a804",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "56960ff2-6a88-4fc2-ad20-a61bdae343c7",
    "event_time": 1774364675914,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 1104,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "8666c9b4a7dc808d1fd77db969c2a699",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "2a9e8a6caab339509c6296bd69c2a804"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.New Process from Atypical Path",
  "ts": 1774364677000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.917,
  "false_positive_reason": "Standard behavior for software installers using InstallShield and Windows Installer (MSI) to execute temporary setup files.",
  "investigation_questions": [
    "What software was being installed by \u0027Joy Howell\u0027 at the time of the alert?",
    "Is ISBEW64.exe a recurring source of alerts in this environment?"
  ],
  "ioc_analysis": "The file ISBEW64.exe and its parent MsiExec.exe are both signed binaries. The temporary path and GUID-named subdirectory are typical for InstallShield-based installations, and the parent-child relationship with MsiExec confirms the installation context.",
  "iocs_extracted": [
    "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
    "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9"
  ],
  "mitre_techniques": [
    "T1036.003"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelist the InstallShield wrapper (ISBEW64.exe) when spawned by MsiExec.exe to reduce false positive alerts from this rule."
  ],
  "risk_score": 12,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process ISBEW64.exe is the InstallShield 64-bit Engine Wrapper, which is being executed from a temporary directory as part of a legitimate software installation initiated by MsiExec.exe. This activity follows standard patterns for software installers that unpack components to the Temp directory before execution.\n\n**IOC Analysis:** The file ISBEW64.exe and its parent MsiExec.exe are both signed binaries. The temporary path and GUID-named subdirectory are typical for InstallShield-based installations, and the parent-child relationship with MsiExec confirms the installation context.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process ISBEW64.exe is a known Windows Installer executable (MSI) running from a temporary directory, which is typical behavior for legitimate software installation or updates. The parent process MsiExec.exe confirms this is part of the standard Windows Installer workflow.\n\n**IOC Analysis:** ISBEW64.exe is a well-known benign executable used by Microsoft\u0027s Windows Installer service. It runs from AppData\\Local\\Temp which is expected behavior for temporary installer files. The command line arguments with GUIDs are consistent with MSI installation parameters. The process is signed and spawned by MsiExec.exe, indicating legitimate system activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.85\nA new process was detected from an atypical path in the Temp directory, which is suspicious, but historical analyst feedback indicates this detection rule frequently produces false positives, suggesting benign behavior.\n\n**IOC Analysis:** The FILE_PATH is located in the Temp directory with a random GUID, which is common for legitimate temporary files but can also be exploited by malware. The file is signed, but the signature origin is unknown, and the parent process (MsiExec.exe) is legitimate, reducing the likelihood of malicious intent. The command line contains GUIDs that may be part of normal system operations.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 85% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.85,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}