EC-Council
312-49V11 · Question #135
312-49V11 Question #135: Real Exam Question with Answer & Explanation
Sign in or unlock 312-49V11 to reveal the answer and full explanation for question #135. The question stem and answer options stay visible for context.
Question
During a malware forensic investigation, a newly added entry was identified in the Windows AutoStart registry keys after a malware execution on a compromised system. The entry indicates a VB script file named "CaoClboog.vbs" installed in the 'Run' key to achieve persistence and run automatically upon user login. As a Computer Hacking Forensic Investigator (CHFI), where would you expect to find this suspicious entry in the registry hive?
Options
- AHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
- BHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- CHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- DHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,
Unlock 312-49V11 to see the answer
You've previewed enough free 312-49V11 questions. Unlock 312-49V11 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.