T1204 User Execution
Endpoint 172.16.17.5 accessed a URL that triggered the SOC119 Proxy Malicious Executable File Detected alert.
The alert was generated after the endpoint accessed https://www.win-rar.com/postdownload.html?&L=0&Version=32bit which was flagged as a potential malicious executable download. The URL was analyzed in VirusTotal and returned no malicious detections. Investigation confirmed the domain win-rar.com is the legitimate WinRAR distribution website used for archive extraction software. No malicious file execution or suspicious endpoint activity was observed.
Event Time Mar 21 2021 01:02 PM
Alert Closed Jan 22 2026 09:34 AM
Endpoint 172.16.17.5
URL https://www.win-rar.com/postdownload.html?&L=0&Version=32bit
Event ID 83
Rule SOC119 Proxy Malicious Executable File Detected
The alert was triggered due to proxy detection logic identifying an executable download pattern. Analysis confirmed the URL is legitimate and no malicious behavior occurred on the endpoint. No indicators of compromise were identified. The alert was assessed as a False Positive and no further action was required.