350-201(NEW-127Q) Question #88: Real Exam Question with Answer & Explanation

Question

Options

• AThe malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.
• BThe malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.
• CThe malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.
• DThe malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.

Explanation

Option B is correct because it directly aligns with the known malware behavior - capturing keystrokes and webcam data - and describes how those captures are stored (locally encrypted files) and how command-and-control infrastructure is concealed (encrypted/obfuscated URLs/IPs). These are the artifacts a static analyst would find that confirm this malware is a keylogger/RAT with data exfiltration staging, making them the actual indicators of compromise.

Option A describes a credential-harvesting tool focused on browser cookies and a reverse proxy for traffic interception - a different malware profile than the keylogger/webcam scenario given. Option C is a ransomware description (querying AV/OS, encrypting files for payment) - an entirely different malware category. Option D describes host reconnaissance/fingerprinting - common in many malware types but not the IoC specific to keylogging and webcam capture.

Memory tip: Match the IoC to the known behavior - since the malware captures keys and webcam, look for the option that describes storage and concealment of exactly those outputs. B is the only choice that mentions "loggers and webcam captures," making it the direct evidence trail.

No community discussion yet for this question.