T1204 User Execution
The alert was triggered on a host where winrar.exe was executed. The file was downloaded from win-rar.com which is the official WinRAR distribution website.
SOC104 Malware Detected alert was generated for winrar.exe. The file hash was checked in VirusTotal and only one vendor flagged it as malicious while all other engines reported it clean. The file was detonated in ANY.RUN sandbox and showed no malicious behavior. Network activity, process behavior, and file modifications were consistent with a legitimate WinRAR installer. No indicators of compromise were identified.
Event Time Mar 21 2021 01:04 PM
Alert Closed Jan 23 2026 02:26 PM
Affected Host internal endpoint
Process winrar.exe
Download Source https://win-rar.com
Event ID 84
Rule SOC104 Malware Detected
The alert was triggered due to heuristic or signature based detection by one security vendor. Further investigation confirmed the file was downloaded from the official website and behaved as a legitimate installer. VirusTotal and sandbox analysis supported this assessment. The alert was determined to be a False Positive and no remediation or containment was required.