Question 1: Observe the information from x32dbg.

Which address shows an instruction set that

indicates a software breakpoint?

A. 004013A8
B. 004013AF
C. 004013C6
D. 004013DE
Question 2: Which is a limitation of emulators?
A. Handling unfamiliar instructions
B. Modeling API calls
C. Identifying suspicious functions
D. Providing an overview of capabilites
Question 3: Which of the following networking options can preven the adversary from
detectiong investigation efforts?
A. Ensuring all communications go through TOR
B. Running OpenVPN on the public cloud and connecting to it
C. Connecting from the same network that is targeted by the attacker
D. Leverage a widely a used commercial VPN service
Question 4: Which element will be removed from the stack last?

A. RET
B. VAR0
C. VAR2
D. ARG2

Question 5: Which of the following describes an exploit?

A. Machine code that can be executed by the CPU

B. Code that results in unexpected application behavior
C. Code that executes after a vulnerable application is abused
D. A software defect that can be abused

Question 6: Which of the following identifies a PowerShell script?

A. Calls to the eval() function

B. A variable named $rm
C. An embedded macro
D. Base64 encoded strings

Question 7: Which of the following is used to return a handle for a remote process?

A. OpenProcess
 B. WriteProcessMemory
C. VirtualAllocEx
D. CreateRemoteThread

Question 8: How would a JavaScript debugger be used to analyze the following code?

function
mydecoder(ex){S1=arguments.callee.toString().replace(/\W/g,"").toUpperCase();
S2=arguments.callee.toString().replace(/\W/g,"").toUpperCase().length;if(argu
ments.callee.toString().indexOf(" ",214)!=-
1){S1="prits";S2=S1.length;}if(arguments.callee.toString().indexOf("\r\n")!=-
1){S1="prouts";S2=S1.length;}if(arguments.callee.toString().indexOf("\n")!=-
1){S1="prats";S2=S1.length;};str=ex;l=str.length;c=1;d=0;out="";temp2="";temp
3="";temp2=0;temp=0;while(c<=str.length-
1){if(str.charAt(c)!="x")temp3=temp3+str.charAt(c);else{key=0;flag=true;for(i
=0;i<d;i++){if(flag==true){key=key+S1.charCodeAt(i);flag=false;}else{key=key-
S1.charCodeAt(i);flag=true;}}for(i=d;i<S2;i++){if(flag==true){key=key+S1.char
CodeAt(i);flag=false;}else{key=key-
S1.charCodeAt(i);flag=true;}}if(key<0)key=-1*key;temp2=temp3^key;d++;if(d>S2-
1)d=0;out=out+String.fromCharCode(temp2);temp3="";}c++;}eval(out);}
mydecoder("x177x166x181x231x166x231x250x231x169x162x176x231x134x181x181x166x1
90x239x224x147x175x174x180x231x224x235x224x174x180x231x224x235x224x179x162x18
0x179x230x224x238x252x180x231x250x231x166x156x247x154x231x236x231x229x231x229
x231x236x231x166x156x246x154x231x236x231x229x231x229x231x236x231x166x156x245x
154x252x163x168x164x178x170x162x169x179x233x176x181x174x179x162x239x180x238x2
52x");

A. Setting a breakpoint at the beginning of the line of the eval(out)

B. Print the value of the "out" variable before eval(out) executes
C. Entering a newline character before eval() to display its content

Question 9: An analyst is analyzing web traffic using a web browser and sniffer
running in the background. He captures the traffic shown, but the "Application Data"
is not human-readable. What action should he take to read the application data?

A. Read the unencrypted data in packet 419

B. Configure his browser to save the encryption key and apply it to captured
traffic
C. Click "Allow blocked content" when visiting the webpage in the browser
D. Run a debugger in the browser and add a breakpoint to the body of the web
document
Question 10: What can the following line in a pdf document do for an attacker?
/URI (http ://TrueURL.com/index.html)

A. The machine that opens the document can give information about itself to the
attacker automatically
B. The machine that opens the document runs any Java code from the attacker
automatically
C. The machine that opens the document can send documents to the attacker
automatically
D. The machine that opens the document can execute the malware of the attacker
automatically

Question 11: Based on the information provided in the screenshot, what can be inferred about
bad.doc?

A. There is an OLE object at Level 1

B. There is an OLE object at Level 3
C. There is a VBA macro at Level 1
D. There is a VBA macro at Level 2

Question 12: Which is an example of how "fileless" software could be stored on a

system?

A. Encoded in a registry key

B. Executed from a Powershell script
C. Embedded in a shared library
D. Compressed and password-protected

Question 13: What is the malware trying to do in the code given below?

.text:004094C8 loc_4094C8: ; CODE XREF: sub_4094A6+1Bj

.text:004094C8 test byte ptr [ebp+arg_10], 1
.text:004094CC mov ecx, offset aPost ; "POST"
.text:004094D1 jnz short loc_4094D8
.text:004094D3 mov ecx, offset aGet ; "GET"
.text:004094D8
.text:004094D8 loc_4094D8: ; CODE XREF: sub_4094A6+2Bj
.text:004094D8 push 0
.text:004094DA push eax
.text:004094DB push offset off_417000
.text:004094E0 push 0
.text:004094E2 push offset aHttp1_1 ; "HTTP/1.1"
.text:004094E7 push [ebp+arg_4]
.text:004094EA push ecx
.text:004094EB push [ebp+arg_0]
.text:004094EE call ds:HttpOpenRequestA
.text:004094F4 mov esi, eax
.text:004094F6 test esi, esi
.text:004094F8 jz short loc_409558
.text:004094FA test ebx, ebx
.text:004094FC jz short loc_409504
.text:004094FE xor eax, eax
.text:00409500 xor ecx, ecx
.text:00409502 jmp short loc_40950C04094EE call ds:HttpOpenRequestA
.text:004094F4 mov esi, eax
.text:004094F6 test esi, esi
.text:004094F8 jz short loc_409558
.text:004094FA test ebx, ebx
.text:004094FC jz short loc_409504
.text:004094FE xor eax, eax
.text:00409500 xor ecx, ecx
.text:00409502 jmp short loc_40950C

A. The malware is creating an http header for a message to the server

B. The malware is trying to intercept the victim's http connections
C. The malware is checking a request for an address made by a victim to a website
Question 14: Based on the information in the screenshot, what is the next step for fixing the
dumped process?

A. Pick DLL
B. Get Imports
C. PE Rebuild
D. Fix Dump

Question 15: Which is an advantage to inline function use rather than non-inlined
function use?
 A. Increased functionality
B. Lower cost
C. Lower complexity
D. Increased reusability

Question 16: Review the following assembly code.

What would be the equivalent in C/C++?

A. if (ax > bx) then { X = 1; } else { X = 0; }

B. if (ax < bx) then { X = 1; } else { X = 0; }
C. if (ax != bx) then { X = 1; } else { X = 0; }
D. if (ax == bx) then { X = 1; } else { X = 0; }

Question 17: Which of the following is functionally equivalent to a series of nested if-
else statements, but uses a different syntax?

A. Switch
B. Branching
C. Looping
D. If-ElseIf-Else

Question 18: How many unexpected/unknown characters were found after the expected end
point of the file in the screenshot provided?

A. 12534
B. 194395
C. 213782
 D. 2376

Question 19: Which is a benefit of analyzing SRP streams?

A. Reveals artifacts from previous versions

B. Displays all strings for the document
C. Displays encoded data within the document
D. Shows DLL imports used in malware

Question 20: Which of the following describes OOXML formatted documents?

A. They are easier to parse than OLE2 formatted documents

B. Their macros will run with any filename and extension
C. They are a structured collection of objects and streams
D. They are more prone to vulnerabilities than other formats

Question 21: Which VMWare network option offers the strongest separation between
guest and host systems for conducting malware analysis?

A. Custom virtual network

B. Bridged networking
C. Host-only virtual network
D. Shared network

Question 22: Which is the most reliable method for reverting the state of a physical lab
host?

A. Disk cloning
B. PXE booting
C. Snapshot software

Question 23: A researcher used x64dbg to set a breakpoint for a common Windows API call.
Code execution stopped once the call was reached. Which option from the x64dbg Debug menu
below will continue code execution until code written by the developer of the specimen is
reached?

A. C
B. E
C. A
D. B
E. D
Question 24: Analyze the Process Hacker and Wireshark screenshot. Assuming the malware
communicates over HTTPS, what can an analyst do on 169.254.187.6 to intercept and uncover
additional details about the ghyte specimen?

A. Start the httpd webserver

B. Open port 443 on the host firewall
C. Start InetSim
D. Start the fakedns service

Question 25: While reviewing a suspicious file, an analyst notices the following API
calls. What can be inferred about the file from these calls?
CreateFile
FindFirstFileA
FindResource
LockResource
RegEnumKeyEx
SizeofResource

A. It is a dropper
B. It is a keylogger
C. It downloads a second stage
D. It is persistent

Question 26: Which function is commonly used to save the first few bytes of the victim
function when performing API Hooking?

A. SaveMemoryAddress
B. VirtualProtect
C. GetProcAddress
D. ReadProcessMemory

Question 27: Which of the following options can extract both unicode and ASCII
encoded strings from a file called "file1.exe"?

A. strings -a file1.exe
 B. capa file1.exe | more
C. run_speakeasy.py file1.exe
D. pestr file1.exe

Question 28: What conclusion about NCC-1701.exe can be made from the following
registry key?
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncc-1701.exe

A. It is benign
B. It will attempt to update to the current version
C. It will run at startup with SYSTEM privileges
D. It is malicious
E. It will run after a user logs in

Question 29: Which instruction gives an indirect address?

A. mov eax, dword_94238C

B. mov eax, [0x0040325C]
C. mov eax, [DS:358C32]
D. mov eax, [EBP+14h]

Question 30: Which obfuscation method involves changing with a 1-byte key value?

A. ROL
B. ROT
C. XOR
D. MD5

Question 31: What techniques can be used by malware authors to detect that a binary is
being run in a virtual machine?

A. Monitoring keystrokes
B. Getting the name of the current window
C. Checking for mouse usage
D. Surveying video controllers

Question 32: To ensure that malicious code will only run under Internet Explorer, what
could an attacker do?

A. Write the script in AJAX

B. Utilize special arguments to document.write()
C. Write the script in VBScript
D. Write the script in JavaScript
Question 33: An analyst is directly accessing a malicious website. The script on the site
has multiple components that have different results depending on the input into forms.
Which approach allows the analyst to most easily enumerate the results?

A. Access the site repeatedly using different VPN endpoints

B. Connect to the site while toggling the user agent to simulate different browsers
C. Run the traffic through a local HTTP proxy, pausing to edit and replay traffic
D. Use a non-GUI browser to download the website and edit the source code of the site

Question 34: Examine the block of assembly code. Which statement would be
equivalent?
CMP EAX, 7
JA BLOCK1
CMP EAX, 11
JA END

BLOCK1:
<do something>

END:
<continue doing things>

A. if((intVar > 7) || (intVar > 11))

B. if((intVar > 7) && (intVar > 11))
C. if((intVar > 7) || (intVar < 11))
D. if((intVar > 7) && (intVar < 11))

Question 35: Which calling convention is demonstrated in the code snippet below?

PUSH dword ptr [EBP + param_1]

XOR EBX, EBX

PUSH EBX

PUSH 0x47a

MOV byte ptr [EBP + local_5], BL

CALL dword ptr [-> KERNEL32.DLL: :OpenProcess]

MOV ESI, EAX

A. cdecl
B. fastcall
C. thiscall
D. stdcall
Question 36: Which of the following is an example of a data manipulation instruction
used for bit manipulation in assembly code?

A. add
B. xchg
C. shr
D. eax

Question 37: While examining a specimen on host 169.254.187.2, in an isolated lab

environment, the traffic shown in the attached image is observed in Wireshark. What can be
done to find additional capabilities of the specimen?

A. Configure the firewall to allow ICMP traffic

B. Start the httpd webserver on 169.254.187.6
C. Configure the firewall to allow DNS traffic
D. Start the fakedns service on 169.254.187.2 or 169.254.187.6

Question 38: When looking at a packed executable with a hex editor, which of the
following will be the only clear text program segment that will be identifiable?

A. The payload
B. The major system calls
C. The decryptor routine
D. The packed program
Question 39: What is a characteristic of a script interpreter like SpiderMonkey or
cscript?

A. Sets breakpoints without requiring direction from the analyst

B. Works only for scripts embedded within web pages
C. Handles JavaScript components as well as HTML tags
D. Runs scripts embedded inside malicious documents

Question 40: When the function prologue uses the stack to copy the current value of the
stack to the frame pointer, which instruction indicates that a local variable is being
accessed by the code?

A. [ebp+8]
B. [ebp-4]
C. [move esp, ebp]

Question 41: Which general purpose register is used to reference function parameters
and local variables on the stack?

A. EAX
B. ESP
C. EBP
D. ECX

Question 42: The snippet below is formatted to be executed with which file extension?

function gproc

Param

[Parameter(Position=0,Mandatory=$True)]

[String] $Module,[Parameter(Position=1,Mandatory=$True)]

[String] $Procedure

);

$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object

{
 A. ps1
B. js
C. dll
D. json

Question 43: Which of the following is used to perform static malware analysis?

A. Decompiling
B. Emulating
C. Debugging
D. Fuzzing

Question 44: How does Process Monitor support the analysis process?

A. Displays network traffic for a host

B. Identifies file operations for a process
C. Visualizes logs of other behavioral analysis tools
D. Compares the state of a system before and after infection

Question 45: An analyst is investigating a malware executable downloaded to a VM

server from an infected website. The executable redirected browser pages and
generated network traffic to an unknown Internet IP address.

The analyst starts the last clean VM snapshot of the victim server and installs
behavioral analysis tools. When they run the malicious executable the process
terminates immediately. Which action should they take to continue analysis of the
executable?

A. Update the VM server operating system service pack and patch level
B. Download a new copy of the executable from the malicious website
C. Limit analysis to the static properties of the executable
D. Check for code in the malware that detects analysis tools, and patch it if necessary

Question 46: Compare the section hashes provided. What can be inferred from this
information?
Sample 1
--------
.text - f9b520fe3d7d42a68eb5c848e00c7369
.data - ffdac9c277a552ef7d24e3092ceeda26
.rsrc - bed378f07d315bd5744cc19b45349e13
.reloc - 4dvdaf80c3ac06227583c39a9410e708
Sample 2
--------
.text - f9b520fe3d7d42a68eb5c848e00c7369
.data - 34a7c4d09d111abb74a6272e244a1baf
.rsrc - bed378f07d315bd5744cc19b45349e13
.reloc - 4dvdaf80c3ac06227583c39a9410e708

A. The samples are related

B. The samples are not the same size
C. The samples are identical
D. The samples have different capabilities

Question 47: An analyst has opened a trojan in a debugger. It contains the following
lines of code. What can they do to continue analyzing the sample?

call [IsDebuggerPresent]
test eax, eax
jnz .debugger_found

A. Manually adjust the eax register after the call is made

B. Manually adjust the eax register before the call is made
C. Bypass the code by setting a breakpoint after the jump

Question 48: Analyze the Regshot output in the image, generated from an infection of RedLine
Stealer. What command would an analyst use based on this output?

A. Get-Service
B. base64 -d
C. schtasks /query
D. netstat –naob

Question 49: Based on the Windows registry key value shown below, how will the
operating system attempt to execute the script?
"C:\WINDOWS\system32\mshta.exe" "javascript:hwC8XPL="7mR74";"

A. Command line
B. Windows Explorer
C. The Microsoft browser installed on the system
D. The current user's default web browser

Question 50: Why would malware call VirtualProtect inside an unpacking routine?

A. To lock a resource
B. To unpack the program
C. To perform keylogging

Question 51: Which method would assist an analyst reviewing malware that detects
analysis tools?

A. Using open source tools

B. Using commercial tools
C. Using a physical system
D. Using a virtual system

Question 52: When an analyst deobfuscates lines in a PDF file they find the following:
"%u9090%u9090%u9090%u9090" What does this indicate?

A. Code that shows a line of spaces in text file

B. Code that requires deobfuscation
C. Code used to traverse file system directories on a web server
D. Code that is executed in a memory location unknown to the attacker

Question 53: In the following code, what happens if [ebp-0x90] = 3?

003201FC loc_3201FC:
003201FC
003201FC cmp [ebp-0x90], 9
00320200 jnz loc_32021C
00320204 cmp [ebp-0x8c], 3
00320208 jnz loc_32021C
0032020C lea edi, ds:320445h
00320210 mov [ebp+var_225], edi
00320214 jmp loc_320230
00320218
0032021C
0032021C loc_32021C:
0032021C
0032021C lea edi, ds:320A24h
00320220 mov[ebp+var_225], edi
 A. The comparison at 0x00320204 is made.
B. The jump at 0x00320214 is made.
C. The code block at 0x0032021C is executed.

Question 54: Based on the following Fiddler web debugging entry, what can be
inferred?
200 HTTP 195.154.122.226 /kitten.jpg 11 image/jpeg 8
57G.exx:6404

A. The kitten.jpg file hosted by 195.154.122.226 gets renamed to 857G.exx when

downloaded to a web client
B. IP 195.154.122.226 uses the kitten.jpg file to download an executable named 857G.exx
C. The running host process 857G.exx has initiated a connection to IP 195.154.122.226
D. Possible C2 communications are being sent to 195.154.122.226 over port 6404

Question 55: Which option describes the purpose of this pseudo-code?

int fh;
for (fh=0; fh < 65536; fh += 4)
{
if (GetFileSize(fh, NULL) == mysize) return fh;
?

A. The GetFileSize call allows the shellcode to locate itself similar to GetEIP
B. GetFileSize allows the shellcode to locate its document file from which to extract
necessary components
C. GetFileSize allows the shellcode to identify exploitable heap segments in memory
D. The GetFileSize call aids in identifying LoadLibraryA and GetProcAddress by locating
kernel32.dll