An EDR alert flags a process named 'svchost.exe' running from C:\Users\Public\Downloads\ instead of C:\Windows\System32\, with a parent process of a Microsoft Word document that was opened minutes earlier. What should the analyst conclude?
- A. The process is very likely malicious, masquerading as a legitimate Windows service host to evade casual inspection Correct
- B. This is expected, since svchost.exe frequently runs from user-profile folders during software installs
- C. The parent-child relationship is normal, since Word often spawns system processes for spell-check services
- D. The alert is a false positive because svchost.exe is a trusted Microsoft binary regardless of location
Why A is correct
Legitimate svchost.exe only ever executes from C:\Windows\System32\. A same-named binary running from a Downloads folder, spawned by a document that was just opened, is a textbook masquerading and malicious-macro execution chain — and should be treated as compromise.
Why the others are incorrect
Genuine svchost.exe is never installed to or launched from user-profile folders, even during installers. Word does not legitimately spawn a process named svchost.exe for spell-check or any built-in feature. And trusting a binary by name alone is exactly the mistake masquerading exploits — file path and parent-process context determine legitimacy, not the name.