Computer Hacking Forensic Investigator (CHFI v10) — Question 408

A Computer Hacking Forensics Investigator is analyzing a malware sample named "payload.exe". They have run the malware on a test workstation, and used a tool named WhatChanged Portable to monitor host integrity by capturing the system state before and after the malware execution. After comparing these two snapshots, the investigator observes that an entry named CjNWWyUJ has been created under the Run registry key with value C:\Users\\AppData\Local\Temp\xKNkeLQI.vbs. Given this information, what conclusion can the investigator draw?

Answer options

• A. The malware has corrupted the Windows registry
• B. The malware is performing a denial of service attack
• C. The malware creates a persistent connection with the machine on startup
• D. The malware has deleted system files on the workstation

Correct answer: C

Explanation

The correct answer is C because the creation of an entry under the Run registry key indicates that the malware is set to execute on system startup, making it persistent. The other options are incorrect as there is no evidence of registry corruption, denial of service activity, or deletion of system files based on the described behavior.