Nina, an experienced network incident responder working for a financial services firm, receives a series...

According to the EC-Council Incident Handler (ECIH) curriculum, malware infections commonly originate from users downloading malicious executables from untrusted external sources. The scenario clearly indicates repeated access to suspicious URLs followed by the download of unsigned executable files outside business hours. ECIH classifies such behavior as high-risk web activity leading to malware compromise.

The endpoint protection system flagged the executables as malicious after execution, and outbound communication attempts suggest command-and-control (C2) beaconing behavior. ECIH explains that once malware executes, it frequently attempts outbound connections to attacker-controlled infrastructure for instructions, payload updates, or data exfiltration.

There is no evidence suggesting Wi-Fi spoofing (Option B), as logs trace activity to an internal workstation. Option C (SQL injection) relates to web application vulnerabilities, which are not described in this endpoint-based download scenario. Option D (privilege escalation) may occur after infection, but it is not presented as the initial cause.

ECIH emphasizes monitoring web proxy logs, correlating SIEM alerts, validating digital signatures, and analyzing firewall egress traffic to confirm malware incidents. Nina’s actions—log correlation, endpoint isolation, and lateral movement investigation—align precisely with recommended containment procedures.

Therefore, the most likely cause of the incident is inappropriate resource usage through malicious downloads.