Computer Hacking Forensic Investigator (CHFI v10) — Question 433

During a malware forensic investigation, a newly added entry was identified in the Windows AutoStart registry keys after a malware execution on a compromised system. The entry indicates a VB script file named "CaoClboog.vbs" installed in the 'Run' key to achieve persistence and run automatically upon user login. As a Computer Hacking Forensic Investigator (CHFI), where would you expect to find this suspicious entry in the registry hive?

Answer options

• A. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup
• B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• C. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• D. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Common Startup

Correct answer: C

Explanation

The correct answer is C, as the 'Run' key under HKEY_CURRENT_USER is specifically used to launch applications automatically for the current user at login. Option A is incorrect as it pertains to user shell folders rather than the auto-start mechanism, while option B refers to the machine-wide run key, and option D relates to common startup folders, which do not specifically point to the user context.