{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Process from Atypical Path",
  "detect": {
    "event": {
      "COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D834E157-D994-4AD8-A6C1-2384EB185D20}",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
      "HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
      "PARENT": {
        "BASE_ADDRESS": 15925248,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 29487104,
        "PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
        "PARENT_PROCESS_ID": 38156,
        "PROCESS_ID": 44412,
        "THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
        "THREADS": 10,
        "TIMESTAMP": 1774364312730,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 44412,
      "PROCESS_ID": 44832
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "db9025ff-f9f1-4a4f-9a8b-a228868654fb",
      "event_time": 1774364675847,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 1167,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "8666c9b4a7dc808d1fd77db969c2a699",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "64cf6ef7fcd938d200bff8bf69c2a804"
    }
  },
  "detect_id": "d2b73a25-7a29-403b-9533-6baf69c2a805",
  "gen_time": 1774364677017,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=64cf6ef7fcd938d200bff8bf69c2a804",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "db9025ff-f9f1-4a4f-9a8b-a228868654fb",
    "event_time": 1774364675847,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 1167,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "8666c9b4a7dc808d1fd77db969c2a699",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "64cf6ef7fcd938d200bff8bf69c2a804"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.New Process from Atypical Path",
  "ts": 1774364677000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.883,
  "false_positive_reason": "The rule \u0027New Process from Atypical Path\u0027 correctly identified a process in a Temp folder, but failed to account for legitimate installer engines like InstallShield which frequently execute from these locations. The binary is signed and verified.",
  "investigation_questions": [
    "What software was the user attempting to install at the time of detection?"
  ],
  "ioc_analysis": "The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is a known-good signature for the InstallShield engine. The file path and parent-child relationship (MsiExec.exe -\u003e ISBEW64.exe) are consistent with legitimate software installation workflows.",
  "iocs_extracted": [
    "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
    "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
  ],
  "mitre_techniques": [
    "T1204.002"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelists the InstallShield engine (ISBEW64.exe) when signed and spawned by MsiExec.exe to reduce noise.",
    "No further action required for this specific host."
  ],
  "risk_score": 8,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on ISBEW64.exe running from a temporary directory, which is standard behavior for the InstallShield 64-bit Setup Engine during software installation. The process is signed by Flexera Software/Macrovision and was spawned by the legitimate Windows Installer service (MsiExec.exe).\n\n**IOC Analysis:** The hash 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 is a known-good signature for the InstallShield engine. The file path and parent-child relationship (MsiExec.exe -\u003e ISBEW64.exe) are consistent with legitimate software installation workflows.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is a known Windows Installer component (MSIEXEC) executing from a temporary directory, which is expected behavior for legitimate software installation or updates.\n\n**IOC Analysis:** ISBEW64.exe is a standard Windows Installer executable that runs from AppData\\Local\\Temp during MSI operations. The parent process MsiExec.exe confirms this is part of the Windows Installer service chain. The file is Microsoft-signed and located in a temporary directory, which is normal for installation processes.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nThe detection is likely a false positive as the process was spawned by a legitimate MsiExec.exe and the file is signed, despite the atypical path. Historical feedback supports this verdict.\n\n**IOC Analysis:** The FILE_PATH is atypical (C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\...) but the PARENT_PROCESS_ID (44412) corresponds to C:\\Windows\\syswow64\\MsiExec.exe, a known legitimate system binary. The file is signed, which is typical for legitimate software, reducing suspicion. The command line contains GUIDs, but this is common in legitimate system processes like MSI installations.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 90% confidence)",
      "deepseek-r1:8b: false_positive (low, 80% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.8,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}