Free CrowdStrike CCCS-203b Actual Exam Questions - Question 14 Discussion
in HKCU\Software\Microsoft\Windows\CurrentVersion\Run referencing a newly created executable in
the user’s AppData\Roaming directory. What does this likely indicate?
A, because malware often uses Run keys and AppData for stealthy startup persistence.
A, since AppData\Roaming and Run key tweaks are classic malware persistence signs.
It’s A because malware often uses the Run key to maintain persistence, especially when the executable is hidden in AppData\Roaming, which is a common spot for stealthy malware drops.
Option A stands out because legitimate apps rarely put new executables in AppData\Roaming and then add startup entries without clear user action. The Run key is a common place for malware to gain persistence. Options B and C don’t really fit since system scripts or updates usually don’t involve dropping unknown executables there. D could be possible, but normally legit apps use Program Files or AppData Local, not Roaming, plus they’re less sneaky about startup entries. So this definitely points more toward a malicious persistence attempt.
It’s A for sure. Legit apps rarely put new executables in Roaming and tweak Run keys without user consent—this is textbook malware persistence behavior.
This is classic malware behavior, so A fits best. The Run key is a prime spot for persistence, and placing a new executable in AppData\Roaming is a known tactic for hiding malicious files. Legit apps don’t usually drop unknown executables there without user action or updates, so options B, C, and D seem less likely here.
A/D? The new exe in AppData plus Run key tweak screams persistence, likely malicious.
This screams malware persistence to me, so I’m with A. The Run key is a well-known place for bad actors to keep their stuff alive after reboot. Also, legitimate apps don’t usually drop new executables in AppData\Roaming without a proper install or update process, so options B, C, and D feel less solid here.
A/C? That Run key is definitely used for persistence, but a newly created exe in AppData\Roaming is sketchy. Legit apps usually don’t drop new exe files there without updates or installs, so C feels less likely.
A/D? The registry key in Run is a classic persistence spot, so D could be legit if it’s a trusted app. But since it’s a newly created exe in AppData\Roaming, that’s suspicious and usually a sign of malware trying to survive reboots. B and C sound less likely because system scripts or updates don’t typically drop unknown exe files there without more info. Without clear proof it’s a legit update or installer, I’d lean toward A as the safer bet here.
A. Does the question specify if the executable's behavior was analyzed?