ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 265 discussion

Actual exam question from CompTIA's CS0-003
Question #: 265
Topic #: 1
[All CS0-003 Questions]

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

  • A. Changes to system environment variables
  • B. SMB network traffic related to the system process
  • C. Recent browser history of the primary user
  • D. Activities taken by PID 1024
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by luiiizsoares at Dec. 4, 2024, 8:34 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
luiiizsoares
5 months ago
Selected Answer: D
When investigating suspicious processes, analyzing the specific activities of the PID in question provides the most direct insight into whether it is behaving maliciously. This includes actions like file modifications, network connections, memory usage, and system calls made by that process. In this case, the process BGInfo.exe—a legitimate Sysinternals tool—is behaving anomalously (running for an extended period, which is uncommon for such a tool). Observing PID 1024's activities will help determine if the process has been tampered with, replaced, or is being abused by an attacker.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago