// soc investigation 2026-01-23
SOC104 SOC104 - Malware Detected event 84
letsdefend Medium closed ✗ false positive
mitre/T1204-002
analyst verdict FALSE POSITIVE

🎯 MITRE ATT&CK

T1204 User Execution

👤 Who

The alert was triggered on a host where winrar.exe was executed. The file was downloaded from win-rar.com which is the official WinRAR distribution website.

🔎 What

SOC104 Malware Detected alert was generated for winrar.exe. The file hash was checked in VirusTotal and only one vendor flagged it as malicious while all other engines reported it clean. The file was detonated in ANY.RUN sandbox and showed no malicious behavior. Network activity, process behavior, and file modifications were consistent with a legitimate WinRAR installer. No indicators of compromise were identified.

🕐 When

Event Time Mar 21 2021 01:04 PM
Alert Closed Jan 23 2026 02:26 PM

📍 Where

Affected Host internal endpoint
Process winrar.exe
Download Source https://win-rar.com
Event ID 84
Rule SOC104 Malware Detected

💡 Why

The alert was triggered due to heuristic or signature based detection by one security vendor. Further investigation confirmed the file was downloaded from the official website and behaved as a legitimate installer. VirusTotal and sandbox analysis supported this assessment. The alert was determined to be a False Positive and no remediation or containment was required.