CompTIA CySA+ (CS0-003) — Question 200

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

Answer options

• A. Changes to system environment variables
• B. SMB network traffic related to the system process
• C. Recent browser history of the primary user
• D. Activities taken by PID 1024

Correct answer: D

Explanation

Investigating the activities taken by PID 1024 will provide direct insight into what the process has been doing and if it has engaged in any malicious behavior. The other options, while potentially useful, do not directly relate to the specific actions of the BGInfo.exe process itself.