Detects Windows binaries executed from archive-derived paths within a user’s Temp directory. The rule flags cases where a binary is launched by one of three parent processes—explorer.exe, winrar.exe, or 7zFM.exe—and the executed process path resides under the Temp folder with archive indicators such as rar, 7z, or zip. This pattern is a known technique attackers use to bypass Mark-of-the-Web (MOTW) protections and potentially exploit vulnerabilities (e.g., CVE-2025-0411). The detection relies on endpoint telemetry from EDR tools (notably Sysmon Event ID 1 and CrowdStrike ProcessRollup2) and requires ingestion of complete process creation data, including the process GUID, name, parent, and full command line, mapped to the Endpoint data model. The search aggregates by process, hash, user, host, and parent-child relationships and supports drilldown via user and destination fields. It includes a risk-based alerting message and correlates with broader risk analytics. False positives may arise from legitimate installers or automation workflows that extract binaries to Temp; tuning should verify parent process, path, and user context before approving. References and mappings to MITRE are provided for further validation (e.g., T1204.002).