During dynamic analysis of a malware sample, an analyst uses Process Monitor to monitor file system activity. The malware creates a file named 'C:\Users\Admin\AppData\Roaming\svchost.exe'. What does this likely indicate?
Creating a file with a system process name in AppData is a common persistence technique.
Why this answer
The creation of a file named 'svchost.exe' in the user's AppData\Roaming directory is a classic persistence technique. By placing a copy of itself with the name of a legitimate Windows system process (svchost.exe) in a user-writable location, the malware aims to execute automatically at startup (e.g., via a registry Run key or scheduled task) while evading suspicion. This is not a legitimate Windows update, as system files reside in C:\Windows\System32, not in a user profile directory.
Exam trap
Cisco often tests the misconception that any file named 'svchost.exe' is legitimate, but the key indicator is the path — a system process should never run from a user profile directory like AppData\Roaming.
How to eliminate wrong answers
Option A is wrong because legitimate Windows updates are delivered via Windows Update and stored in C:\Windows\SoftwareDistribution or System32, not created by malware in a user's AppData folder. Option B is wrong because extracting an archive would typically produce multiple files or a temporary extraction folder, not a single executable masquerading as a system process. Option C is wrong because cleaning up temporary files would involve deleting files (e.g., .tmp files) from Temp folders, not creating a new executable in AppData\Roaming.