Incidence Response Discussion

Help me study for my Computer Science class. I’m stuck and don’t understand.

Reminder Technical Environment Background:

  • Corporate environment
  • 200 endpoints, Windows 10
  • 70 internal servers, mix of Linux and Windows
  • 30 databases, all MSSQL
  • 10 internet facing webpages supported by 40 servers in the DMZ
  • Regulatory requirements – SOX (publicly traded company)

Investigation Information:

  • Proxy logs show that user was redirected to the webpage from (company intranet site)
  • 3fehef7y539ej[.]eu resolves to 172[.]16[.]200[.]55
  • DNS and Firewall logs indicate that 3 other computers have gone to this address
  • AV scan does not provide further information

Forensic Update:

  • Forensic memory analysis identifies 4utfind.exe running whenever Internet Explorer is launched
  • Sandbox analysis shows 4utfind.exe is injecting a background call to


  • What containment steps should be taken?
  • How will you know the network is clean?
  • Assume that you have a world class SOC will all the tools known to man
  • Do NOT attempt to go to the webpages or IP addresses listed