Question 677 of 1,000
Malware ForensicsmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct conclusion is that rundll32.exe with PID 1500 is likely a backdoor listening on port 4444. This is because the netstat output reveals a listening TCP connection on port 4444 bound to PID 1500, and the subsequent tasklist command identifies that PID as rundll32.exe. Port 4444 is a well-known backdoor port, commonly used by Metasploit payloads and remote access trojans, while rundll32.exe is a legitimate Windows binary frequently abused through DLL sideloading or reflective injection to host malicious code without raising immediate suspicion. On the CHFI exam, this scenario tests your ability to correlate network connections with running processes for backdoor detection, a core forensic skill. A common trap is assuming all svchost.exe listeners are benign; here, the unusual port and non-standard network service process are the red flags. Memory tip: remember that 4444 is “four fours” for “fourth-floor backdoor,” and rundll32 is a favorite “living-off-the-land” binary for attackers.

CHFI Malware Forensics Practice Question

This CHFI practice question tests your understanding of malware forensics. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

C:\> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1236 CryptSvc, Dnscache, LmHosts, EventSystem
svchost.exe                   1344 W32Time, WdiServiceHost
svchost.exe                    768 BFE, MpsSvc
notepad.exe                   1456 N/A
svchost.exe                    524 SessionEnv, TermService, UmRdpService
rundll32.exe                  1500 N/A

C:\> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       1500

C:\> wmic process where processid=1500 get executablepath
ExecutablePath
C:\Windows\System32\rundll32.exe

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Full question →

Exhibit

Refer to the exhibit.

C:\> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1236 CryptSvc, Dnscache, LmHosts, EventSystem
svchost.exe                   1344 W32Time, WdiServiceHost
svchost.exe                    768 BFE, MpsSvc
notepad.exe                   1456 N/A
svchost.exe                    524 SessionEnv, TermService, UmRdpService
rundll32.exe                  1500 N/A

C:\> netstat -ano | findstr :4444
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING       1500

C:\> wmic process where processid=1500 get executablepath
ExecutablePath
C:\Windows\System32\rundll32.exe

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444.

Option D is correct because the netstat output shows a listening connection on port 4444 associated with PID 1500, which the tasklist command identifies as rundll32.exe. Port 4444 is a common backdoor port (often used by Metasploit or other RATs), and rundll32.exe is a legitimate Windows binary frequently abused by malware to host malicious code (e.g., via DLL sideloading or reflective injection). The combination of an unusual listening port and a process that is not a typical network service (like svchost.exe) strongly indicates a backdoor.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Svchost.exe processes are hosting legitimate Windows services; no malware is present.

    Why it's wrong here

    Svchost.exe hosting many services is normal, but the network connection on port 4444 is suspicious.

  • The malware has injected code into svchost.exe using a reflective DLL injection tool.

    Why it's wrong here

    No evidence of injection into svchost.exe; the suspicious process is rundll32.exe.

  • The malware is using port 4444 for Windows Update communications.

    Why it's wrong here

    Windows Update does not use port 4444; it uses port 80/443.

  • Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444.

    Why this is correct

    Rundll32.exe typically does not listen on network ports; PID 1500 is listening on a suspicious port, indicating malware.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

EC-Council often tests the ability to correlate netstat output (port and PID) with tasklist output (PID and process name) to identify suspicious process-port pairs, and the trap here is assuming that svchost.exe is always the culprit when a backdoor is present, when in fact rundll32.exe is a common masquerading host for injected code.

Detailed technical explanation

How to think about this question

Port 4444 is a well-known default listener for Metasploit's Meterpreter payload and other remote access trojans (RATs). Rundll32.exe is often used by malware to execute malicious DLLs via the command line (e.g., rundll32.exe <dll>,<entrypoint>), making it a stealthy process that blends in with legitimate system activity. In real-world forensics, analysts check for anomalous port bindings (e.g., non-standard ports like 4444) and process-to-port mappings to identify backdoors, as legitimate Windows services rarely listen on high ports without a clear reason.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CHFI practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CHFI practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CHFI question test?

Malware Forensics — This question tests Malware Forensics — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444. — Option D is correct because the netstat output shows a listening connection on port 4444 associated with PID 1500, which the tasklist command identifies as rundll32.exe. Port 4444 is a common backdoor port (often used by Metasploit or other RATs), and rundll32.exe is a legitimate Windows binary frequently abused by malware to host malicious code (e.g., via DLL sideloading or reflective injection). The combination of an unusual listening port and a process that is not a typical network service (like svchost.exe) strongly indicates a backdoor.

What should I do if I get this CHFI question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CHFI practice question is part of Courseiva's free EC-Council certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CHFI exam.