{
  "author": "ckeller@fusioncybersecurity.us",
  "cat": "New Process from Atypical Path",
  "detect": {
    "event": {
      "COMMAND_LINE": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33719072-0651-4FC5-BFED-B0CCE5E56FFA}",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
      "HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
      "PARENT": {
        "BASE_ADDRESS": 15925248,
        "COMMAND_LINE": "C:\\Windows\\syswow64\\MsiExec.exe -Embedding 581DB1B77D828D0E33C7463410BF0344",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\syswow64\\MsiExec.exe",
        "HASH": "34e2e75cb8622809e4f95b3e665071d755870f503167268f23d0110cc5f7ee2c",
        "MEMORY_USAGE": 29487104,
        "PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
        "PARENT_PROCESS_ID": 38156,
        "PROCESS_ID": 44412,
        "THIS_ATOM": "8666c9b4a7dc808d1fd77db969c2a699",
        "THREADS": 10,
        "TIMESTAMP": 1774364312730,
        "USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
      },
      "PARENT_PROCESS_ID": 44412,
      "PROCESS_ID": 45292
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "f1767436-223f-4880-a73c-ce93b9577e5d",
      "event_time": 1774364675295,
      "event_type": "NEW_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "desktop-atsepsk",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.200",
      "latency": 1695,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "8666c9b4a7dc808d1fd77db969c2a699",
      "plat": 268435456,
      "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
      "tags": [
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-high",
        "fusionsoc-investigated",
        "joys",
        "windows",
        "yara_detection_disk",
        "yara_detection_memory"
      ],
      "this": "c9319b10fcbd7badd95f86bd69c2a803"
    }
  },
  "detect_id": "fe61709c-69c4-4520-9d1e-86b569c2a804",
  "gen_time": 1774364676991,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=c9319b10fcbd7badd95f86bd69c2a803",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "f1767436-223f-4880-a73c-ce93b9577e5d",
    "event_time": 1774364675295,
    "event_type": "NEW_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "desktop-atsepsk",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.200",
    "latency": 1695,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "8666c9b4a7dc808d1fd77db969c2a699",
    "plat": 268435456,
    "sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
    "tags": [
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-high",
      "fusionsoc-investigated",
      "joys",
      "windows",
      "yara_detection_disk",
      "yara_detection_memory"
    ],
    "this": "c9319b10fcbd7badd95f86bd69c2a803"
  },
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
  "source_rule": "general.New Process from Atypical Path",
  "ts": 1774364676000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.85,
  "false_positive_reason": "Legitimate software installer component running from a temporary directory as part of a standard installation process.",
  "investigation_questions": [
    "Was the user \u0027Joy Howell\u0027 intentionally installing or updating software at the time of the detection?"
  ],
  "ioc_analysis": "The file ISBEW64.exe is signed and its hash (8023e720...) is not associated with malicious activity in public databases. Its execution from AppData\\Local\\Temp and parentage by MsiExec.exe are consistent with legitimate InstallShield operations.",
  "iocs_extracted": [
    "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
    "C:\\Users\\JOYHOW~1\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
  ],
  "mitre_techniques": [
    "T1072"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "No action required; the activity is benign.",
    "Consider tuning the detection rule to exclude signed InstallShield binaries spawned by MsiExec.exe from temporary directories."
  ],
  "risk_score": 12,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detected process ISBEW64.exe is a legitimate component of the InstallShield 64-bit Setup Engine developed by Flexera Software. It was executed from a temporary directory by MsiExec.exe, which is the standard and expected behavior during a software installation or update process.\n\n**IOC Analysis:** The file ISBEW64.exe is signed and its hash (8023e720...) is not associated with malicious activity in public databases. Its execution from AppData\\Local\\Temp and parentage by MsiExec.exe are consistent with legitimate InstallShield operations.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process ISBEW64.exe is a known Windows Installer executable (msiexec) variant running from a temporary directory, which is common for legitimate MSI installations. The parent process MsiExec.exe confirms this is part of the standard Windows installation framework.\n\n**IOC Analysis:** ISBEW64.exe is a benign Windows Installer helper process that runs alongside msiexec.exe. The file path in AppData\\Local\\Temp is expected for temporary installer files, and the command line arguments with GUIDs are typical for MSI operations. This matches known false positive patterns for legitimate system maintenance.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.7\nThe process ISBEW64.exe is located in a non-standard directory but is signed and spawned from a legitimate process, indicating a potential false positive.\n\n**IOC Analysis:** FILE_PATH is atypical for system binaries, as it resides in a user-specific temporary directory; however, FILE_IS_SIGNED is present, and the parent process is legitimate MsiExec.exe, which may indicate benign activity such as a software installation.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (low, 90% confidence)",
      "deepseek-r1:8b: false_positive (low, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}