You will use the volatility output text files located in the CYBV $400$ network folder in your Virtual Learning Environment VM to answer this question.

Review the psxview text file.

Find the wsmprovhost.ex process

Notice there are two.

One shows an entry of True in every column. Meaning it has not attempted to hide.

Find the instance of this process where the pslist column shows an entry of False.

The PID $464$ where the psscan column is true, but all other columns are false SHOULD indicate the process is no longer in memory and would therefore NOT be suspicious. You should see an exit time, but here you do not. That is suspicious.

From the list below, select the memory address of the PID $464$ where the psscan column is true, but all other columns are false?

Question $11$ options:

$0$x$0000000039$a$65700$

$0$x$00000000835$a$8900$

$0$x$0000000102$a$4$a$900$

$0$x$00000001097$f$2400$