Which of the processes, shown in the output below, should be prioritized for examination during live response?
Command run: C:\> netstat -naob -
Output: see screen capture (irrelevant lines of output omitted for space)
Which of the processes, shown in the output below, should be prioritized for examination during live response?
Command run: C:\> netstat -naob -
Output: see screen capture (irrelevant lines of output omitted for space)
The process calc.exe (PID 5713) should be prioritized for examination. In the netstat output, the process calc.exe is shown to be connected to an IP address (5.1.24.17) on port 80, which is usually associated with HTTP traffic. Since calc.exe is typically a calculator application and does not normally establish network connections, this could indicate suspicious or compromised behavior, making it a priority for further investigation during live response.
While I admit my instinct is B, can someone explain why W32Time is populating in the PID column?