A Windows workstation was clean a few days ago but now appears to be infected. Based on results from tasklist, which was run last week, which connection or connections shown in netstat -naob, run today, most likely indicates the host is now infected?
Based on the tasklist from last week and the netstat -naob output from today, the correct answer is the connections with svchost.exe. The PID 2904 associated with svchost.exe does not appear in the previous tasklist, indicating a potential new and suspicious process. Additionally, it's common behavior for malware to masquerade as legitimate system processes like svchost.exe.
Correct answer is "D" as it's PID did not appear in the previous screenshot /tasklist
what about winevtd.exe? it has the same PID - 596 as wininit.exe has in the tasklist.
D is correct
I think lsass.exe is correct, because it listens on strange port for all incoming connections. A - it's not unusual at all, and also it is possible that wininit.exe process has stopped and that winevtd.exe got the sam PID. B - wmpnetwk.exe is not unusual at all D - it is legit that multiple svchost.exe related processes have been started at the same time. In mine opinion, avp.exe would be the best answer, but since is not an option, lsass.exe is the best answer.