{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Process from Atypical Path",
  "detect": {
    "event": {
      "COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C10C3315-A3BC-4FCE-982B-316A7FE651FD}",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
      "HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
      "PARENT": {
        "BASE_ADDRESS": 15925248,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 29487104,
        "PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
        "PARENT_PROCESS_ID": 38156,
        "PROCESS_ID": 44412,
        "THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
        "THREADS": 10,
        "TIMESTAMP": 1774364312730,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 44412,
      "PROCESS_ID": 45424
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "07ebbe51-740c-49a0-b04d-66a07545274e",
      "event_time": 1774364675489,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 1522,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "8666c9b4a7dc808d1fd77db969c2a699",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "46f707e1cd6f5f78259d433669c2a804"
    }
  },
  "detect_id": "6df440dd-d1e4-4d6b-9fff-a9b369c2a805",
  "gen_time": 1774364677013,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=46f707e1cd6f5f78259d433669c2a804",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "07ebbe51-740c-49a0-b04d-66a07545274e",
    "event_time": 1774364675489,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 1522,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "8666c9b4a7dc808d1fd77db969c2a699",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "46f707e1cd6f5f78259d433669c2a804"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.New Process from Atypical Path",
  "ts": 1774364677000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.827,
  "false_positive_reason": "Legitimate software installation activity using a signed InstallShield engine spawned by the Windows Installer (MsiExec.exe).",
  "investigation_questions": [
    "What software was being installed at the time of the event?"
  ],
  "ioc_analysis": "The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is identified as a legitimate InstallShield component (ISBEW64.exe) and is signed. The execution from AppData\\Local\\Temp is expected during the installation of software via MSI packages.",
  "iocs_extracted": [
    "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
    "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
  ],
  "mitre_techniques": [
    "T1204.002"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "No further action required",
    "Whitelist the InstallShield binary hash if this rule continues to trigger frequently for known-good installers"
  ],
  "risk_score": 18,
  "severity": "high",
  "summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection triggered on ISBEW64.exe (InstallShield Engine 64-bit) running from a temporary directory, which is standard behavior for legitimate software installations. The process was spawned by MsiExec.exe (Windows Installer), is signed, and the file hash is globally recognized as benign with zero detections on VirusTotal.\n\n**IOC Analysis:** The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is identified as a legitimate InstallShield component (ISBEW64.exe) and is signed. The execution from AppData\\Local\\Temp is expected during the installation of software via MSI packages.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is a known Windows Installer executable (MSI) running from a temporary directory, which is typical for legitimate software installation activities. The parent process MsiExec.exe confirms this is part of the standard Windows Installer framework.\n\n**IOC Analysis:** ISBEW64.exe is a legitimate Windows Installer helper binary that runs from AppData\\Local\\Temp during MSI installations. The command line arguments with GUIDs are standard for installer operations. The file is signed and matches expected behavior for Windows Update or application installation scenarios.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.6\nThe detection event involves a new process from an atypical path in the Temp directory, which is unusual but spawned from a legitimate MsiExec.exe process. Further investigation is needed to determine if this is part of a legitimate installation or malicious activity.\n\n**IOC Analysis:** The FILE_PATH is located in a non-standard directory (AppData\\Local\\Temp with a GUID), which is atypical for system binaries. The HASH is provided but not verified against known malware databases. The FILE_IS_SIGNED status indicates a signature, but the signer is unknown and could be legitimate or malicious. The parent process is MsiExec.exe from SysWOW64, which is a legitimate system binary, potentially reducing the likelihood of a false positive but not eliminating it.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 98% confidence)",
      "qwen3.5:4b: false_positive (low, 90% confidence)",
      "deepseek-r1:8b: suspicious (medium, 60% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.98,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.6,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}