These files can be read in Notepad++
Question 10 (5 points)
The psxview module is useful for detecting rootkits able to evade detection by modifying flinks
and blinks.
1. Review the psxview text file.
2. Locate the PID 4912.
3. Based on the results of psxview, select your assessment of PID 4912 from the list below.
Select one answer:
a.
b.
c.
d.
Because it shows false in the csrss column, it is most likely a rootkit.
Because it shows true in both the pslist and psscan columns it is most likely a rootkit.
There is no expected entry of “false” in the pslist column. So it most likely isn’t a rootkit.
PID 4912 is the FTK Imager used to dump the memory from the subject computer. It is
not a rootkit.
Question 11 (5 points)
1.
2.
3.
4.
5.
6.
Review the psxview text file.
Find the wsmprovhost.ex process
Notice there are two.
One shows an entry of True in every column. Meaning it has not attempted to hide.
Find the instance of this process where the pslist column shows an entry of False.
The PID 464 where the psscan column is true, but all other columns are false SHOULD
indicate the process is no longer in memory and would therefore NOT be suspicious. You
should see an exit time, but here you do not. That is suspicious.
7. From the list below, select the memory address of the PID 464 where the psscan column
is true, but all other columns are false?
Select one answer:
a.
b.
c.
d.
0x00000001097f2400
0x0000000039a65700
0x00000000835a8900
0x0000000102a4a900
Question 14 (5 points)
rdpclip.exe is a process associated with a Remote Desktop Client. We suspect a malicious insider
at Deepship. If you find the rdpclip.exe process running in the pstree output it may indicate
unauthorized use of RDP.
From the list below, select the PID of the rdpclip.exe process
Select one answer:
a.
b.
c.
d.
1079
1078
1075
1072
Question 15 (5 points)
After injecting the malicious code into the target process, malware can hook API calls made by
the target process to control its execution path and reroute it to the malicious code.
To identify API hooks in both processes and kernel memory, you can use the apihooks Volatility
plugin.
1. in the apihooks text file Search for Process: 464 (wsmprovhost.ex) with a Hooking
module: .
2. The API hooked by the suspicious process was InitPlugin in the pspluginwkr-v3.dll.
3. In the first line of the disassembly, find the JMP (jump) instruction which points to the
injected code.
4. From the list below, select the memory address to which the JMP instruction points.
Select one answer:
a.
b.
c.
d.
0x7ffb87ee5ba0
0x7ffb8a61623a
0x7ffb87f0c000
0x7ffb9c201890
Question 16 (2 points)
The apihooks module detected Hooking module: in kernelmode.
Ture or False
Question 17 (5 points)
From the ldrmodule there is a dll listed in the MappedPath column called
WindowsSysWOW64cryptbase.dll. Select it’s correct description from the list below.
Select one:
a.
b.
c.
d.
None of the answers are correct
It is the DLL used by TrueCrypt
It is the Base cryptographic API DLL for Windows
It is used by ransomware to encrypt user files
Question 18 (4 points)
From the ldrmodule plugin, there is an executable listed with a truncated name, and with a PID
of 3504. Select the name of the executable for the PID from the list below.
Select one answer:
a.
b.
c.
d.
CodeMeterCC.ex
IdleDetectionS
System.Runtime.Serialization.ni.dll
conhost.exe
Question 19 (2 points)
Your review of psscan reveals the command prompt launched two instances of a process that,
when compared to the dlllist, could indicate an attempt to install a remote access software.
Order the entire parent – child relationship from beginning to end.
In order of 1-3
nssm.exe
websockify.cmd
cmd.exe

Purchase answer to see full
attachment