A malware incident has been reported on the corporate network. Four hosts are shown below.
Review each host's event log carefully and classify each as: Origin — the host that first introduced the infection Infected — compromised by the origin host Clean — no signs of compromise
Use timestamps, SMB connections, USB events, and AV alerts to make your determination.
Click a classification button for each host
🖥️
WORKSTATION-A
192.168.1.101
[08:12:04] User login: jsmith [08:15:22] AV scan: No threats found [08:30:01] File access: reports.xlsx [09:01:15] User logout: jsmith
🖥️
WORKSTATION-B
192.168.1.102
[07:55:10] User login: mlee [08:02:33] USB device inserted: Unknown [08:03:01] Process created: malware.exe [08:03:45] SMB outbound → 192.168.1.103 [08:04:10] SMB outbound → 192.168.1.104 [08:05:22] AV alert: Trojan.GenericKD blocked
🖥️
WORKSTATION-C
192.168.1.103
[08:01:00] User login: atran [08:04:05] SMB inbound ← 192.168.1.102 [08:04:18] Process created: svchost_fake.exe [08:06:40] AV alert: Worm.SMB.Lateral – quarantine FAILED [08:07:00] Outbound C2 → 203.0.113.50:443
🖥️
SERVER-D
192.168.1.104
[08:00:00] Service started: IIS [08:04:22] SMB inbound ← 192.168.1.102 [08:04:55] File written: C:\Windows\Temp\update.bat [08:05:30] AV alert: Trojan.GenericKD – quarantined [08:05:31] AV quarantine: SUCCESS