CompTIA CySA+ (CS0-003) — Question 76

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.)

Answer options

• A. Creation time of dropper
• B. Registry artifacts
• C. EDR data
• D. Prefetch files
• E. File system metadata
• F. Sysmon event log

Correct answer: B, E

Explanation

The correct answers are B and E because registry artifacts can provide insights into changes made by the malware, including modifications to system configuration and security settings. File system metadata can reveal information about file creation and deletion times, which is crucial for understanding the malware's behavior. The other options, while relevant, do not provide as direct evidence of the root cause as the selected answers.