Comprehensive and Detailed Explanation From Exact Extract:

The analyst should review PID 768 first because it is the parent process of another suspicious process (PID 1100) and it is also highly suspicious itself due to its unexpected file path.

Why PID 768 is the best first process to review

Path anomaly (strong IoC): Legitimate Windows binaries like calc.exe and cmd.exe are normally found in trusted OS directories (e.g., C:\Windows\System32\). In the table, both CALC.exe and CMD.exe appear in a user’s Documents folder (C:\Users\JDoe\Documents\...). That is a classic sign of masquerading (a malicious binary using a legitimate-sounding name). The All-in-One guide explicitly describes how attackers disguise malicious processes by using legitimate-sounding names and mimicking system processes.

Parent-child relationship (investigation priority): PID 1100 (Documents\CMD.exe) is suspicious, but it is a child of PID 768 (Documents\CALC.exe). Investigating the parent first helps you understand what spawned the suspicious child, what activity preceded it, and whether PID 768 is the root of the execution chain. The All-in-One guide highlights that analysts should examine process parent-child relationships and investigate unexpected dependencies as a way to detect malicious activity:Exact extract (All-in-One Exam Guide): “Analyze process dependencies Examine process parent-child relationships and investigate any unexpected or unusual dependencies that may indicate malicious activity.” It also emphasizes monitoring grandparent/parent/child relationships to detect deviations from normal process hierarchies:Exact extract (All-in-One Exam Guide): “Monitoring the relationships between processes, particularly grandparent, parent, and child relationships, can be a valuable method for detecting unusual activity.”

Abused/LOLBIN context: cmd.exe is a commonly abused Windows utility in attacks. The Sybex Study Guide notes that attackers often abuse built-in tools and that abnormal OS process behavior involving tools like cmd.exe can indicate compromise:Exact extract (Sybex Study Guide): “For Windows systems, a handful of built-in tools are most commonly associated with attacks like these, including cmd.exe…”

Why the other options are less correct

A (533) and B (740) are running from C:\Windows\System32\... which is the expected location for legitimate Windows binaries in normal circumstances, so they’re less suspicious than the copies running from a user Documents folder.

D (1100) is suspicious, but it is a child of PID 768. Investigating 768 first helps determine the origin and execution chain that led to the suspicious cmd instance.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): parent/child process dependency analysis; process hierarchy monitoring; masquerading techniques

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): abnormal OS process behavior; cmd.exe commonly associated with attacks

Command-and-control (C2) beaconing involves compromised systems communicating with an attacker’s server at regular intervals, often using HTTPS to blend in with legitimate traffic. This is indicative of a potential compromise where malware communicates back to a command center. The persistent nature of the connections after hours and throughout the day suggests automated beaconing, which is a tell-tale sign of C2 activity. According to CompTIA CySA+, this type of activity should raise immediate suspicion and warrants further investigation and containment. While options B, C, D, and E might indicate other issues, they do not fit the pattern described as well as option A.

The first step should be to perform a public search for malware reports on taskhw.exe, as this file is suspicious for several reasons: it is located in a non-standard path, it has a high CPU usage, it is signed by an unknown entity, and it is only present on one host. A public search can help to determine if this file is a known malware or a legitimate program. If it is malware, the hunter can then take appropriate actions to remove it and prevent further damage. The other options are either premature or ineffective, as they do not provide enough information to assess the threat level of taskhw.exe. References: Cybersecurity Analyst+ - CompTIA, taskhw.exe Windows process - What is it? - file.net, Taskhostw.exe - What Is Taskhostw.exe & Is It Malware? - MalwareTips Forums

A Service-Level Agreement (SLA) is a document that establishes customer expectations regarding the performance and quality of services provided by the SOC (Security Operations Center). It defines thelevel of service expected, including aspects like response times, availability, and support after regular work hours. An SLA helps in setting clear expectations and improving customer satisfaction by outlining the standards and commitments of the service provider.

JavaScript Object Notation (JSON) is commonly used for transmitting data in web applications and would be suitable for updating dashboards that integrate various data sources. It's lightweight and easy to parse and generate.

Comprehensive and Detailed Explanation From Exact Extract:

CompTIA CySA+ CS0-003 explicitly lists “proprietary systems” as an inhibitor to remediation (i.e., a common obstacle that can delay or block patching/remediation).

Why D (Proprietary systems) is most likely to cause obstacles:

Proprietary systems often require vendor-provided patches, may have restricted modification, and can create delays due to vendor response time and dependencies on vendor updates. The Secbay Press guide explains that proprietary systems can be challenging due to “restricted access, dependencies on vendor updates, and potential delays in patching.”

The Sybex Study Guide also describes that proprietary systems may not have patches available quickly (or at all), and that vendor support requirements can conflict with vulnerability management needs:Exact extract (Sybex Study Guide): “Proprietary systems… may not have patches available or may have specific requirements placed on them by vendors… creating a conflict between vulnerability management policies and functional or business requirements.”

Why the other options are less “most likely” here:

A (Not meeting an SLA) is typically an outcome (a consequence) rather than the obstacle itself. The inhibitor is the SLA constraints, not “not meeting it.” CompTIA objectives list SLA as an inhibitor, not “not meeting an SLA.”

B (Patch prioritization) is a normal vulnerability management activity, not typically categorized as an inhibitor/obstacle in the CS0-003 inhibitor list.

C (Organizational governance) is also an inhibitor (bureaucracy/change control can slow remediation), but proprietary systems are often the most “hard-blocking” because you may be unable to patch without vendor action/support. Both are valid inhibitors, but “most likely” in practice (especially in exam framing) commonly points to vendor-controlled/proprietary constraints.

References (CompTIA CySA+ CS0-003 documents / study guides used):

CompTIA CS0-003 Exam Objectives v4.0: “Inhibitors to remediation” includes proprietary systems

Secbay Press CS0-003: Proprietary systems create remediation challenges due to vendor dependency and patch delays

Sybex CS0-003 Study Guide: proprietary systems may restrict patching and vendor support requirements can block remediation